[libvirt] [PATCH] qemu: Relax -no-shutdown check to [0.14.0, 0.15.0]

[Jiri Denemark]

The patch that fixes SIGTERM handling with -no-shutdown was taken into
0.15.1 stable release of qemu.
---
 src/qemu/qemu_capabilities.c |4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
index 8f16a49..2f55000 100644
--- a/src/qemu/qemu_capabilities.c
+++ b/src/qemu/qemu_capabilities.c
@@ -1018,9 +1018,9 @@ qemuCapsComputeCmdFlags(const char *help,
 
 /* Do not use -no-shutdown if qemu doesn't support it or SIGTERM handling
  * is most likely buggy when used with -no-shutdown (which applies for qemu
- * 0.14.* and 0.15.50)
+ * 0.14.* and 0.15.0)
  */
-if (strstr(help, -no-shutdown)  (version  14000 || version = 15050))
+if (strstr(help, -no-shutdown)  (version  14000 || version  15000))
 qemuCapsSet(flags, QEMU_CAPS_NO_SHUTDOWN);
 
 /*
-- 
1.7.7

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH] qemu: Do not wait if the PCI device is not managed when reattaching

[Osier Yang]

Waiting for qemu-kvm cleaning up the PCI bar(s) mapping with long time
while the device is not managed is just waste of time.
---
 src/qemu/qemu_hostdev.c |   15 ---
 1 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/qemu/qemu_hostdev.c b/src/qemu/qemu_hostdev.c
index c65f6f5..1fb373e 100644
--- a/src/qemu/qemu_hostdev.c
+++ b/src/qemu/qemu_hostdev.c
@@ -322,19 +322,20 @@ void qemuReattachPciDevice(pciDevice *dev, struct 
qemud_driver *driver)
 {
 int retries = 100;
 
+if (!pciDeviceGetManaged(dev))
+return;
+
 while (pciWaitForDeviceCleanup(dev, kvm_assigned_device)
 retries) {
 usleep(100*1000);
 retries--;
 }
 
-if (pciDeviceGetManaged(dev)) {
-if (pciReAttachDevice(dev, driver-activePciHostdevs)  0) {
-virErrorPtr err = virGetLastError();
-VIR_ERROR(_(Failed to re-attach PCI device: %s),
-  err ? err-message : _(unknown error));
-virResetError(err);
-}
+if (pciReAttachDevice(dev, driver-activePciHostdevs)  0) {
+virErrorPtr err = virGetLastError();
+VIR_ERROR(_(Failed to re-attach PCI device: %s),
+  err ? err-message : _(unknown error));
+virResetError(err);
 }
 }
 
-- 
1.7.6

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH] Add support for autodestroy of guests to the LXC and UML drivers

[Daniel P. Berrange]

From: Daniel P. Berrange berra...@redhat.com

I wrote this months ago and thought I had already submitted/merged
it. Obviously not. I need this for the virt sandbox tools asap.

We recently added support for VIR_DOMAIN_START_AUTODESTROY and
an impl to the QEMU driver. It is very desirable to support in
other drivers, so this adds it to LXC and UML

* src/lxc/lxc_conf.h, src/lxc/lxc_driver.c,
  src/uml/uml_conf.h, src/uml/uml_driver.c: Wire up autodestroy
  functions
---
 src/lxc/lxc_conf.h   |5 ++
 src/lxc/lxc_driver.c |  140 +--
 src/uml/uml_conf.h   |6 ++
 src/uml/uml_driver.c |  164 +++---
 4 files changed, 289 insertions(+), 26 deletions(-)

diff --git a/src/lxc/lxc_conf.h b/src/lxc/lxc_conf.h
index 66aa469..b124330 100644
--- a/src/lxc/lxc_conf.h
+++ b/src/lxc/lxc_conf.h
@@ -56,6 +56,11 @@ struct __lxc_driver {
 int have_netns;
 
 virDomainEventStatePtr domainEventState;
+
+/* Mapping of 'char *uuidstr' - virConnectPtr
+ * of guests which will be automatically killed
+ * when the virConnectPtr is closed*/
+virHashTablePtr autodestroy;
 };
 
 int lxcLoadDriverConfig(lxc_driver_t *driver);
diff --git a/src/lxc/lxc_driver.c b/src/lxc/lxc_driver.c
index c475887..f08e8d1 100644
--- a/src/lxc/lxc_driver.c
+++ b/src/lxc/lxc_driver.c
@@ -110,6 +110,19 @@ static void lxcDomainEventFlush(int timer, void *opaque);
 static void lxcDomainEventQueue(lxc_driver_t *driver,
 virDomainEventPtr event);
 
+static int lxcVmTerminate(lxc_driver_t *driver,
+  virDomainObjPtr vm,
+  virDomainShutoffReason reason);
+static int lxcProcessAutoDestroyInit(lxc_driver_t *driver);
+static void lxcProcessAutoDestroyRun(lxc_driver_t *driver,
+ virConnectPtr conn);
+static void lxcProcessAutoDestroyShutdown(lxc_driver_t *driver);
+static int lxcProcessAutoDestroyAdd(lxc_driver_t *driver,
+virDomainObjPtr vm,
+virConnectPtr conn);
+static int lxcProcessAutoDestroyRemove(lxc_driver_t *driver,
+   virDomainObjPtr vm);
+
 
 static virDrvOpenStatus lxcOpen(virConnectPtr conn,
 virConnectAuthPtr auth ATTRIBUTE_UNUSED,
@@ -165,6 +178,7 @@ static int lxcClose(virConnectPtr conn)
 lxcDriverLock(driver);
 virDomainEventCallbackListRemoveConn(conn,
  driver-domainEventState-callbacks);
+lxcProcessAutoDestroyRun(driver, conn);
 lxcDriverUnlock(driver);
 
 conn-privateData = NULL;
@@ -1001,6 +1015,104 @@ cleanup:
 }
 
 
+static int lxcProcessAutoDestroyInit(lxc_driver_t *driver)
+{
+if (!(driver-autodestroy = virHashCreate(5, NULL)))
+return -1;
+
+return 0;
+}
+
+struct lxcProcessAutoDestroyData {
+lxc_driver_t *driver;
+virConnectPtr conn;
+};
+
+static void lxcProcessAutoDestroyDom(void *payload,
+ const void *name,
+ void *opaque)
+{
+struct lxcProcessAutoDestroyData *data = opaque;
+virConnectPtr conn = payload;
+const char *uuidstr = name;
+unsigned char uuid[VIR_UUID_BUFLEN];
+virDomainObjPtr dom;
+virDomainEventPtr event = NULL;
+
+VIR_DEBUG(conn=%p uuidstr=%s thisconn=%p, conn, uuidstr, data-conn);
+
+if (data-conn != conn)
+return;
+
+if (virUUIDParse(uuidstr, uuid)  0) {
+VIR_WARN(Failed to parse %s, uuidstr);
+return;
+}
+
+if (!(dom = virDomainFindByUUID(data-driver-domains,
+uuid))) {
+VIR_DEBUG(No domain object to kill);
+return;
+}
+
+VIR_DEBUG(Killing domain);
+lxcVmTerminate(data-driver, dom, VIR_DOMAIN_SHUTOFF_DESTROYED);
+virDomainAuditStop(dom, destroyed);
+event = virDomainEventNewFromObj(dom,
+ VIR_DOMAIN_EVENT_STOPPED,
+ VIR_DOMAIN_EVENT_STOPPED_DESTROYED);
+
+if (dom  !dom-persistent)
+virDomainRemoveInactive(data-driver-domains, dom);
+
+if (dom)
+virDomainObjUnlock(dom);
+if (event)
+lxcDomainEventQueue(data-driver, event);
+virHashRemoveEntry(data-driver-autodestroy, uuidstr);
+}
+
+/*
+ * Precondition: driver is locked
+ */
+static void lxcProcessAutoDestroyRun(lxc_driver_t *driver, virConnectPtr conn)
+{
+struct lxcProcessAutoDestroyData data = {
+driver, conn
+};
+VIR_DEBUG(conn=%p, conn);
+virHashForEach(driver-autodestroy, lxcProcessAutoDestroyDom, data);
+}
+
+static void lxcProcessAutoDestroyShutdown(lxc_driver_t *driver)
+{
+virHashFree(driver-autodestroy);
+}
+
+static int lxcProcessAutoDestroyAdd(lxc_driver_t *driver,
+virDomainObjPtr vm,
+

Re: [libvirt] [PATCH] qemu: Relax -no-shutdown check to [0.14.0, 0.15.0]

[Michal Privoznik]

On 17.10.2011 12:18, Jiri Denemark wrote:
 The patch that fixes SIGTERM handling with -no-shutdown was taken into
 0.15.1 stable release of qemu.
 ---
  src/qemu/qemu_capabilities.c |4 ++--
  1 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/src/qemu/qemu_capabilities.c b/src/qemu/qemu_capabilities.c
 index 8f16a49..2f55000 100644
 --- a/src/qemu/qemu_capabilities.c
 +++ b/src/qemu/qemu_capabilities.c
 @@ -1018,9 +1018,9 @@ qemuCapsComputeCmdFlags(const char *help,
  
  /* Do not use -no-shutdown if qemu doesn't support it or SIGTERM handling
   * is most likely buggy when used with -no-shutdown (which applies for 
 qemu
 - * 0.14.* and 0.15.50)
 + * 0.14.* and 0.15.0)
   */
 -if (strstr(help, -no-shutdown)  (version  14000 || version = 
 15050))
 +if (strstr(help, -no-shutdown)  (version  14000 || version  15000))
  qemuCapsSet(flags, QEMU_CAPS_NO_SHUTDOWN);
  
  /*

I'd just add it's fixed by commit v0.15.0-rc0-885-gd9389b9 in qemu, so

ACK

Michal

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v2] qemu: Do not reattach PCI device used by other domain when shutdown

[Osier Yang]

于 2011年10月17日 09:40, Osier Yang 写道:

于 2011年10月15日 02:53, Eric Blake 写道:

On 10/12/2011 10:05 PM, Osier Yang wrote:

When failing on starting a domain, it tries to reattach all the PCI
devices defined in the domain conf, regardless of whether the devices
are still used by other domain. This will cause the devices to be 
deleted

from the list qemu_driver-activePciHostdevs, thus the devices will be
thought as usable even if it's not true. And following commands
nodedev-{reattach,reset} will be successful.

How to reproduce:
   1) Define two domains with same PCI device defined in the confs.
   2) # virsh start domain1
   3) # virsh start domain2
   4) # virsh nodedev-reattach $pci_device


This time around, I actually spent time reproducing the bug scenario 
on hardware rather than just analyzing by inspection (it took me a 
while to figure out why the same machine that used to let me do pci 
passthrough was no longer working, until I realized that my hardware 
is old enough to be insecure, and I've upgraded software since my 
last passthrough test, so the CVE fix from 
https://bugzilla.redhat.com/show_bug.cgi?id=71 has to be 
intentionally bypassed for me to get passthrough again).  With that 
testing, I proved that this patch prevents that problem.  But, as 
written, your patch caused the dreaded An error occurred, but the 
cause is unknown.




You will see the device will be reattached to host successfully.
As pciDeviceReattach just check if the device is still used by
other domain via checking if the device is in list 
driver-activePciHostdevs,

however, the device is deleted from the list by step 2).

This patch is to prohibit the bug by:
   1) Prohibit a domain starting or device attachment right at
  preparation period (qemuPrepareHostdevPCIDevices) if the
  device is in list driver-activePciHostdevs, which means
  it's used by other domain.

   2) Introduces a new field for struct _pciDevice, (const char 
*used_by),

  it will be set as the domain name at preparation period,
  (qemuPrepareHostdevPCIDevices). Thus we can prohibit deleting
  the device from driver-activePciHostdevs if it's still used by
  other domain when stopping the domain process.



@@ -111,7 +112,7 @@ int qemuPrepareHostdevPCIDevices(struct 
qemud_driver *driver,

  if (!(pcidevs = qemuGetPciHostDeviceList(hostdevs, nhostdevs)))
  return -1;

-/* We have to use 4 loops here. *All* devices must
+/* We have to use 6 loops here. *All* devices must
   * be detached before we reset any of them, because
   * in some cases you have to reset the whole PCI,
   * which impacts all devices on it. Also, all devices


I added further loop labels.


+/* The device is in use by other active domain if
+ * the dev is in list driver-activePciHostdevs.
+ */
+if (!pciDeviceIsAssignable(dev, !driver-relaxedACS) ||
+pciDeviceListFind(driver-activePciHostdevs, dev))
+goto cleanup;
+}


Here's where the bad message comes in - you jump to cleanup without 
ever emitting an error message.  Not to mention now that we have the 
new used_by field, the message could actually be informative :)  With 
my changes below, I get the much nicer:


Error starting domain: Requested operation is not valid: PCI device 
:0a:0a.0 is in use by domain dom


Oh, right, thanks for the fixing, :)



@@ -277,6 +298,18 @@ void qemuDomainReAttachHostdevDevices(struct 
qemud_driver *driver,


  for (i = 0; i  pciDeviceListCount(pcidevs); i++) {
  pciDevice *dev = pciDeviceListGet(pcidevs, i);
+pciDevice *activeDev = NULL;
+const char *used_by = NULL;
+
+/* Never delete the dev from list driver-activePciHostdevs
+ *  if it's used by other domain.
+ */
+activeDev = pciDeviceListFind(driver-activePciHostdevs, dev);
+if (activeDev
+(used_by = pciDeviceGetUsedBy(activeDev))
+STRNEQ(name, used_by))
+continue;




used_by is kept as it might be NULL.



In that case, use STRNEQ_NULLABLE.  But you are right - across 
libvirtd restarts, we lose track of which domain owns the device - so 
I did indeed reproduce a case of NULL.  Perhaps food for a later 
patch (when reloading domains, cycle through all hostdevs in use by 
active domains to repopulate the used_by fields).  But not a 
show-stopper to getting this bug fix in now.


Yes, I didn't realize this, we need further patch.



After thinking a while, even we set the used_by during domains reloading,
the other attrs (dev-unbind_from_stub, dev-reprobe, dev-remove_slot)
of the PCI dev still will be lost. We can't known what values should be
for these attrs as generally they are initialized when do preparation,
however the preparations are already passed, and the devices are using
by the running domains. And thus the device won't be bound to the
original driver (if it had) correctly, or mistakenly bound to 

[libvirt] [libvirt-glib] Remove vir- prefix from signals

[Christophe Fergeau]

gobject signals are generally not namespaced this way, removing
this prefix makes things look a bit nicer.
---
 libvirt-gobject/libvirt-gobject-connection.c |   50 +-
 libvirt-gobject/libvirt-gobject-domain.c |   10 +++---
 libvirt-gobject/libvirt-gobject-manager.c|8 ++--
 3 files changed, 34 insertions(+), 34 deletions(-)

diff --git a/libvirt-gobject/libvirt-gobject-connection.c 
b/libvirt-gobject/libvirt-gobject-connection.c
index 4832908..8813e96 100644
--- a/libvirt-gobject/libvirt-gobject-connection.c
+++ b/libvirt-gobject/libvirt-gobject-connection.c
@@ -170,7 +170,7 @@ static void gvir_connection_class_init(GVirConnectionClass 
*klass)
 G_PARAM_STATIC_NICK |
 G_PARAM_STATIC_BLURB));
 
-signals[VIR_CONNECTION_OPENED] = g_signal_new(vir-connection-opened,
+signals[VIR_CONNECTION_OPENED] = g_signal_new(connection-opened,
  G_OBJECT_CLASS_TYPE(object_class),
  G_SIGNAL_RUN_FIRST,
  G_STRUCT_OFFSET(GVirConnectionClass, vir_connection_opened),
@@ -179,7 +179,7 @@ static void gvir_connection_class_init(GVirConnectionClass 
*klass)
  G_TYPE_NONE,
  0);
 
-signals[VIR_CONNECTION_CLOSED] = g_signal_new(vir-connection-closed,
+signals[VIR_CONNECTION_CLOSED] = g_signal_new(connection-closed,
  G_OBJECT_CLASS_TYPE(object_class),
  G_SIGNAL_RUN_FIRST,
  G_STRUCT_OFFSET(GVirConnectionClass, vir_connection_closed),
@@ -188,7 +188,7 @@ static void gvir_connection_class_init(GVirConnectionClass 
*klass)
  G_TYPE_NONE,
  0);
 
-signals[VIR_DOMAIN_ADDED] = g_signal_new(vir-domain-added,
+signals[VIR_DOMAIN_ADDED] = g_signal_new(domain-added,
  G_OBJECT_CLASS_TYPE(object_class),
  G_SIGNAL_RUN_FIRST,
  G_STRUCT_OFFSET(GVirConnectionClass, vir_domain_added),
@@ -198,7 +198,7 @@ static void gvir_connection_class_init(GVirConnectionClass 
*klass)
  1,
  G_TYPE_OBJECT);
 
-signals[VIR_DOMAIN_REMOVED] = g_signal_new(vir-domain-removed,
+signals[VIR_DOMAIN_REMOVED] = g_signal_new(domain-removed,
  G_OBJECT_CLASS_TYPE(object_class),
  G_SIGNAL_RUN_FIRST,
  G_STRUCT_OFFSET(GVirConnectionClass, vir_domain_removed),
@@ -282,7 +282,7 @@ static int domain_event_cb(virConnectPtr conn G_GNUC_UNUSED,
 if (detail == VIR_DOMAIN_EVENT_DEFINED_ADDED)
 g_signal_emit(gconn, signals[VIR_DOMAIN_ADDED], 0, gdom);
 else if (detail == VIR_DOMAIN_EVENT_DEFINED_UPDATED)
-g_signal_emit_by_name(gdom, vir-updated);
+g_signal_emit_by_name(gdom, updated);
 else
 g_warn_if_reached();
 break;
@@ -301,60 +301,60 @@ static int domain_event_cb(virConnectPtr conn 
G_GNUC_UNUSED,
 
 case VIR_DOMAIN_EVENT_STARTED:
 if (detail == VIR_DOMAIN_EVENT_STARTED_BOOTED)
-g_signal_emit_by_name(gdom, vir-started::booted);
+g_signal_emit_by_name(gdom, started::booted);
 else if (detail == VIR_DOMAIN_EVENT_STARTED_MIGRATED)
-g_signal_emit_by_name(gdom, vir-started::migrated);
+g_signal_emit_by_name(gdom, started::migrated);
 else if (detail == VIR_DOMAIN_EVENT_STARTED_RESTORED)
-g_signal_emit_by_name(gdom, vir-started::restored);
+g_signal_emit_by_name(gdom, started::restored);
 else if (detail == VIR_DOMAIN_EVENT_STARTED_FROM_SNAPSHOT)
-g_signal_emit_by_name(gdom, vir-started::from-snapshot);
+g_signal_emit_by_name(gdom, started::from-snapshot);
 else
 g_warn_if_reached();
 break;
 
 case VIR_DOMAIN_EVENT_SUSPENDED:
 if (detail == VIR_DOMAIN_EVENT_SUSPENDED_PAUSED)
-g_signal_emit_by_name(gdom, vir-suspended::paused);
+g_signal_emit_by_name(gdom, suspended::paused);
 else if (detail == VIR_DOMAIN_EVENT_SUSPENDED_MIGRATED)
-g_signal_emit_by_name(gdom, vir-suspended::migrated);
+g_signal_emit_by_name(gdom, suspended::migrated);
 else if (detail == VIR_DOMAIN_EVENT_SUSPENDED_IOERROR)
-g_signal_emit_by_name(gdom, vir-suspended::ioerror);
+g_signal_emit_by_name(gdom, suspended::ioerror);
 else if (detail == VIR_DOMAIN_EVENT_SUSPENDED_WATCHDOG)
-g_signal_emit_by_name(gdom, vir-suspended::watchdog);
+g_signal_emit_by_name(gdom, suspended::watchdog);
 else if (detail == VIR_DOMAIN_EVENT_SUSPENDED_RESTORED)
-g_signal_emit_by_name(gdom, vir-suspended::restored);
+

Re: [libvirt] [PATCHv2 01/13] virbuf: fix const-correctness

[Hai Dong Li]

On 09/30/2011 12:22 AM, Eric Blake wrote:

Although the compiler wasn't complaining (since it was the pointer,
rather than what was being pointed to, that was actually const), it
looks quite suspicious to call a function with an argument labeled
const when the nature of the pointer (virBufferPtr) is hidden behind
a typedef.  Dropping const makes the function declarations easier
to read.

* src/util/buf.h: Drop const from all functions that modify buffer
argument.
* src/util/buf.c (virBufferSetError, virBufferAdd)
(virBufferContentAndReset, virBufferFreeAndReset)
(virBufferAsprintf, virBufferVasprintf, virBufferEscapeString)
(virBufferEscapeSexpr): Fix fallout.
---
  src/util/buf.c |   28 ++--
  src/util/buf.h |   22 --
  2 files changed, 26 insertions(+), 24 deletions(-)

diff --git a/src/util/buf.c b/src/util/buf.c
index 5002486..c737696 100644
--- a/src/util/buf.c
+++ b/src/util/buf.c
@@ -39,7 +39,7 @@ struct _virBuffer {
   * freeing the content and setting the error flag.
   */
  static void
-virBufferSetError(const virBufferPtr buf)
+virBufferSetError(virBufferPtr buf)
  {
  VIR_FREE(buf-content);
  buf-size = 0;
@@ -113,7 +113,7 @@ virBufferAdd(const virBufferPtr buf, const char *str, int 
len)

Maybe a typo here?The virBufferPtr still remains const, but the 
declaration of this function in the buf.h shows this const is removed, too.

  /**
   * virBufferAddChar:
- * @buf: the buffer to add to
+ * @buf: the buffer to append to
   * @c: the character to add
   *
   * Add a single character 'c' to a buffer.
@@ -150,7 +150,7 @@ virBufferAddChar (virBufferPtr buf, char c)
   * Returns the buffer content or NULL in case of error.
   */
  char *
-virBufferContentAndReset(const virBufferPtr buf)
+virBufferContentAndReset(virBufferPtr buf)
  {
  char *str;
  if (buf == NULL)
@@ -172,7 +172,7 @@ virBufferContentAndReset(const virBufferPtr buf)
   *
   * Frees the buffer content and resets the buffer structure.
   */
-void virBufferFreeAndReset(const virBufferPtr buf)
+void virBufferFreeAndReset(virBufferPtr buf)
  {
  char *str = virBufferContentAndReset(buf);

@@ -214,14 +214,14 @@ virBufferUse(const virBufferPtr buf)

  /**
   * virBufferAsprintf:
- * @buf:  the buffer to dump
+ * @buf: the buffer to append to
   * @format:  the format
   * @...:  the variable list of arguments
   *
   * Do a formatted print to an XML buffer.
   */
  void
-virBufferAsprintf(const virBufferPtr buf, const char *format, ...)
+virBufferAsprintf(virBufferPtr buf, const char *format, ...)
  {
  va_list argptr;
  va_start(argptr, format);
@@ -238,7 +238,7 @@ virBufferAsprintf(const virBufferPtr buf, const char 
*format, ...)
   * Do a formatted print to an XML buffer.
   */
  void
-virBufferVasprintf(const virBufferPtr buf, const char *format, va_list argptr)
+virBufferVasprintf(virBufferPtr buf, const char *format, va_list argptr)
  {
  int size, count, grow_size;
  va_list copy;
@@ -285,7 +285,7 @@ virBufferVasprintf(const virBufferPtr buf, const char 
*format, va_list argptr)

  /**
   * virBufferEscapeString:
- * @buf:  the buffer to dump
+ * @buf: the buffer to append to
   * @format: a printf like format string but with only one %s parameter
   * @str:  the string argument which need to be escaped
   *
@@ -293,7 +293,7 @@ virBufferVasprintf(const virBufferPtr buf, const char 
*format, va_list argptr)
   * is escaped to avoid generating a not well-formed XML instance.
   */
  void
-virBufferEscapeString(const virBufferPtr buf, const char *format, const char 
*str)
+virBufferEscapeString(virBufferPtr buf, const char *format, const char *str)
  {
  int len;
  char *escaped, *out;
@@ -370,7 +370,7 @@ virBufferEscapeString(const virBufferPtr buf, const char 
*format, const char *st

  /**
   * virBufferEscapeSexpr:
- * @buf:  the buffer to dump
+ * @buf: the buffer to append to
   * @format: a printf like format string but with only one %s parameter
   * @str:  the string argument which need to be escaped
   *
@@ -379,7 +379,7 @@ virBufferEscapeString(const virBufferPtr buf, const char 
*format, const char *st
   * doesn't fully escape the sexpr, just enough for our code to work.
   */
  void
-virBufferEscapeSexpr(const virBufferPtr buf,
+virBufferEscapeSexpr(virBufferPtr buf,
   const char *format,
   const char *str)
  {
@@ -426,7 +426,7 @@ virBufferEscapeSexpr(const virBufferPtr buf,

  /**
   * virBufferURIEncodeString:
- * @buf:  the buffer to append to
+ * @buf: the buffer to append to
   * @str:  the string argument which will be URI-encoded
   *
   * Append the string to the buffer.  The string will be URI-encoded
@@ -434,7 +434,7 @@ virBufferEscapeSexpr(const virBufferPtr buf,
   * with '%xx' hex sequences).
   */
  void
-virBufferURIEncodeString (virBufferPtr buf, const char *str)
+virBufferURIEncodeString(virBufferPtr buf, const char *str)
  {
  int grow_size = 0;
  const char *p;
@@ 

Re: [libvirt] [libvirt-glib] Remove vir- prefix from signals

[Daniel P. Berrange]

On Mon, Oct 17, 2011 at 01:32:58PM +0200, Christophe Fergeau wrote:
 gobject signals are generally not namespaced this way, removing
 this prefix makes things look a bit nicer.
 ---
  libvirt-gobject/libvirt-gobject-connection.c |   50 
 +-
  libvirt-gobject/libvirt-gobject-domain.c |   10 +++---
  libvirt-gobject/libvirt-gobject-manager.c|8 ++--
  3 files changed, 34 insertions(+), 34 deletions(-)
 
 diff --git a/libvirt-gobject/libvirt-gobject-connection.c 
 b/libvirt-gobject/libvirt-gobject-connection.c
 index 4832908..8813e96 100644
 --- a/libvirt-gobject/libvirt-gobject-connection.c
 +++ b/libvirt-gobject/libvirt-gobject-connection.c
 @@ -170,7 +170,7 @@ static void 
 gvir_connection_class_init(GVirConnectionClass *klass)
  G_PARAM_STATIC_NICK |
  
 G_PARAM_STATIC_BLURB));
  
 -signals[VIR_CONNECTION_OPENED] = g_signal_new(vir-connection-opened,
 +signals[VIR_CONNECTION_OPENED] = g_signal_new(connection-opened,
   G_OBJECT_CLASS_TYPE(object_class),
   G_SIGNAL_RUN_FIRST,
   G_STRUCT_OFFSET(GVirConnectionClass, vir_connection_opened),
 @@ -179,7 +179,7 @@ static void 
 gvir_connection_class_init(GVirConnectionClass *klass)
   G_TYPE_NONE,
   0);
  
 -signals[VIR_CONNECTION_CLOSED] = g_signal_new(vir-connection-closed,
 +signals[VIR_CONNECTION_CLOSED] = g_signal_new(connection-closed,
   G_OBJECT_CLASS_TYPE(object_class),
   G_SIGNAL_RUN_FIRST,
   G_STRUCT_OFFSET(GVirConnectionClass, vir_connection_closed),
 @@ -188,7 +188,7 @@ static void 
 gvir_connection_class_init(GVirConnectionClass *klass)
   G_TYPE_NONE,
   0);
  
 -signals[VIR_DOMAIN_ADDED] = g_signal_new(vir-domain-added,
 +signals[VIR_DOMAIN_ADDED] = g_signal_new(domain-added,
   G_OBJECT_CLASS_TYPE(object_class),
   G_SIGNAL_RUN_FIRST,
   G_STRUCT_OFFSET(GVirConnectionClass, vir_domain_added),
 @@ -198,7 +198,7 @@ static void 
 gvir_connection_class_init(GVirConnectionClass *klass)
   1,
   G_TYPE_OBJECT);
  
 -signals[VIR_DOMAIN_REMOVED] = g_signal_new(vir-domain-removed,
 +signals[VIR_DOMAIN_REMOVED] = g_signal_new(domain-removed,
   G_OBJECT_CLASS_TYPE(object_class),
   G_SIGNAL_RUN_FIRST,
   G_STRUCT_OFFSET(GVirConnectionClass, vir_domain_removed),
 @@ -282,7 +282,7 @@ static int domain_event_cb(virConnectPtr conn 
 G_GNUC_UNUSED,
  if (detail == VIR_DOMAIN_EVENT_DEFINED_ADDED)
  g_signal_emit(gconn, signals[VIR_DOMAIN_ADDED], 0, gdom);
  else if (detail == VIR_DOMAIN_EVENT_DEFINED_UPDATED)
 -g_signal_emit_by_name(gdom, vir-updated);
 +g_signal_emit_by_name(gdom, updated);
  else
  g_warn_if_reached();
  break;
 @@ -301,60 +301,60 @@ static int domain_event_cb(virConnectPtr conn 
 G_GNUC_UNUSED,
  
  case VIR_DOMAIN_EVENT_STARTED:
  if (detail == VIR_DOMAIN_EVENT_STARTED_BOOTED)
 -g_signal_emit_by_name(gdom, vir-started::booted);
 +g_signal_emit_by_name(gdom, started::booted);
  else if (detail == VIR_DOMAIN_EVENT_STARTED_MIGRATED)
 -g_signal_emit_by_name(gdom, vir-started::migrated);
 +g_signal_emit_by_name(gdom, started::migrated);
  else if (detail == VIR_DOMAIN_EVENT_STARTED_RESTORED)
 -g_signal_emit_by_name(gdom, vir-started::restored);
 +g_signal_emit_by_name(gdom, started::restored);
  else if (detail == VIR_DOMAIN_EVENT_STARTED_FROM_SNAPSHOT)
 -g_signal_emit_by_name(gdom, vir-started::from-snapshot);
 +g_signal_emit_by_name(gdom, started::from-snapshot);
  else
  g_warn_if_reached();
  break;
  
  case VIR_DOMAIN_EVENT_SUSPENDED:
  if (detail == VIR_DOMAIN_EVENT_SUSPENDED_PAUSED)
 -g_signal_emit_by_name(gdom, vir-suspended::paused);
 +g_signal_emit_by_name(gdom, suspended::paused);
  else if (detail == VIR_DOMAIN_EVENT_SUSPENDED_MIGRATED)
 -g_signal_emit_by_name(gdom, vir-suspended::migrated);
 +g_signal_emit_by_name(gdom, suspended::migrated);
  else if (detail == VIR_DOMAIN_EVENT_SUSPENDED_IOERROR)
 -g_signal_emit_by_name(gdom, vir-suspended::ioerror);
 +g_signal_emit_by_name(gdom, suspended::ioerror);
  else if (detail == VIR_DOMAIN_EVENT_SUSPENDED_WATCHDOG)
 -g_signal_emit_by_name(gdom, vir-suspended::watchdog);
 +g_signal_emit_by_name(gdom, 

Re: [libvirt] [PATCH 1/1] lxc: use our own hand-rolled code in place of unlockpt and grantpt

[Serge E. Hallyn]

Quoting Eli Qiao (ta...@linux.vnet.ibm.com):
 hi Serge :

Thanks for taking a look.

 I checked the code ,  only in lxc_controller.c call virFileOpenTtyAt().
 I didn't test the path, but my suggestion is that modify the
 utility function in /src/util/util.c instead of adding a new
 function.

But virFileOpenTtyAt() is called by virFileOpenTty() in the same
file.  So we really do want a new function using its own versions of
grantpt+unlockpt, because I think that, when we can, we want to continue
using the glibc versions.

So the safe approach seemed to me to be: put the container-specific
code into src/lxc/lxc_controller.c, then (in a separate patch) just fold
virFileOpenTtyAt(), straight into virFileOpenTty().

If you agree, I'll post a new version incorporating your other feedback,
especially the garish use of alloca :)

(If you disagree, please feel free to send your own patch - I'm in no
way attached to having my version included, I mainly wanted to point out
the bug)

thanks,
-serge

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [BUG, RFC] Python generator: missing error_codes in generated libvirError exceptions

[Philipp Hahn]

Hello,

I just encountered a situation, where a KVM instance was reported as no 
state in virsh. This broke some code of mine, which was 
using lookupByUUID() to lookup several VMs. The Python code did raise a 
libvirt.libvirtError('virDomainLookupByUUID() failed',), where all 
get_error_*() functions return None. This is because the generated libvirt.py 
wrapper just raises libvirtError('%s() failed'), which makes deteting the 
exact fault harder. My current code explicitly checks for get_error_code() == 
VIR_ERR_NO_DOMAIN.
On further investigation I also noticed that qemudDomainLookupByUUID() uses 
qemuReportError() to reports the error condition, which doesn't associate 
that error condition with the connection.

What's the most appropriate way to fix this:
1. Assume lookupBy*() only will ever report an invalid lookup key and catch 
all libvirtErrors?
2. Parse the exception string?
3. Extend the generator to add additional information from annotations?
4. Replace the generated code with hand-extended code.

Any ideas? Thanks for your input.

Sincerely
Philipp
-- 
Philipp Hahn   Open Source Software Engineer  h...@univention.de
Univention GmbHLinux for Your Businessfon: +49 421 22 232- 0
Mary-Somerville-Str.1  D-28359 Bremen fax: +49 421 22 232-99
   http://www.univention.de/


signature.asc
Description: This is a digitally signed message part.
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 00/10] Console coruption with two or more clients series

[Peter Krempa]

I rebased this series for current head. To fetch this series from my 
repo conviniently:

git checkout -b console_corruption 1afcfbdda0cac112faa61f74ec943e46aa43f2f5
git pull git://aeon.pipo.sk/libvirt.git console_corruption

Peter

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 1/1] lxc: use our own hand-rolled code in place of unlockpt and grantpt

[Eric Blake]

On 10/17/2011 07:26 AM, Serge E. Hallyn wrote:

Quoting Eli Qiao (ta...@linux.vnet.ibm.com):

hi Serge :


Thanks for taking a look.


 I checked the code ,  only in lxc_controller.c call virFileOpenTtyAt().
 I didn't test the path, but my suggestion is that modify the
utility function in /src/util/util.c instead of adding a new
function.


But virFileOpenTtyAt() is called by virFileOpenTty() in the same
file.  So we really do want a new function using its own versions of
grantpt+unlockpt, because I think that, when we can, we want to continue
using the glibc versions.

So the safe approach seemed to me to be: put the container-specific
code into src/lxc/lxc_controller.c, then (in a separate patch) just fold
virFileOpenTtyAt(), straight into virFileOpenTty().


Correct - my intent was that we have:

src/util/util.c: virFileOpenTty() - generally useful by any driver, uses 
glibc, and also should use posix_openpt rather than than 
open(/dev/ptmx) for portability (gnulib provides posix_openpt). 
Completely ditch virFileOpenTtyAt() by inlining it back to 
virFileOpenTty(), and since no one could use what virFileOpenTtyAt() 
claimed to provide except in the portable case where virFileOpenTty() 
was sufficient.


src/lxc/lxc_controller.c - LXC-specific function that uses ioctl() 
instead of glibc for opening a private tty.


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH V1 2/6] Introduce an internal priority for chains

[Stefan Berger]

For better handling of the sorting of chains introduce an internally used
priority. Use a lookup table to store the priorities. For now their actual
values do not matter just that the values cause the chains to be properly
sorted through changes in the following patches.

---
 src/conf/nwfilter_conf.c  |   19 +++
 src/conf/nwfilter_conf.h  |3 +++
 src/nwfilter/nwfilter_ebiptables_driver.c |4 
 src/nwfilter/nwfilter_ebiptables_driver.h |1 +
 4 files changed, 27 insertions(+)

Index: libvirt-acl/src/conf/nwfilter_conf.h
===
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -355,6 +355,7 @@ enum virNWFilterEbtablesTableType {
 };
 
 
+# define MIN_RULE_PRIORITY  0
 # define MAX_RULE_PRIORITY  1000
 
 enum virNWFilterRuleFlags {
@@ -434,6 +435,7 @@ enum virNWFilterChainSuffixType {
 VIR_NWFILTER_CHAINSUFFIX_LAST,
 };
 
+typedef int32_t virNWFilterChainPriority;
 
 typedef struct _virNWFilterDef virNWFilterDef;
 typedef virNWFilterDef *virNWFilterDefPtr;
@@ -443,6 +445,7 @@ struct _virNWFilterDef {
 unsigned char uuid[VIR_UUID_BUFLEN];
 
 int chainsuffix; /*enum virNWFilterChainSuffixType */
+virNWFilterChainPriority chainPriority;
 
 int nentries;
 virNWFilterEntryPtr *filterEntries;
Index: libvirt-acl/src/conf/nwfilter_conf.c
===
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -120,6 +120,20 @@ struct int_map {
 #define INTMAP_ENTRY(ATT, VAL) { .attr = ATT, .val = VAL }
 #define INTMAP_ENTRY_LAST  { .val = NULL }
 
+#define NWFILTER_ROOT_FILTER_PRI   0
+#define NWFILTER_IPV4_FILTER_PRI 200
+#define NWFILTER_IPV6_FILTER_PRI 400
+#define NWFILTER_ARP_FILTER_PRI  600
+#define NWFILTER_RARP_FILTER_PRI 800
+
+static const struct int_map chain_priorities[] = {
+INTMAP_ENTRY(NWFILTER_ROOT_FILTER_PRI, root),
+INTMAP_ENTRY(NWFILTER_IPV4_FILTER_PRI, ipv4),
+INTMAP_ENTRY(NWFILTER_IPV6_FILTER_PRI, ipv6),
+INTMAP_ENTRY(NWFILTER_ARP_FILTER_PRI , arp ),
+INTMAP_ENTRY(NWFILTER_RARP_FILTER_PRI, rarp),
+INTMAP_ENTRY_LAST,
+};
 
 /*
  * only one filter update allowed
@@ -2026,6 +2040,11 @@ virNWFilterDefParseXML(xmlXPathContextPt
_(unknown chain suffix '%s'), chain);
 goto cleanup;
 }
+/* assign an implicit priority -- support XML attribute later */
+if (intMapGetByString(chain_priorities, chain, 0,
+  ret-chainPriority) == false) {
+ret-chainPriority = (MAX_RULE_PRIORITY + MIN_RULE_PRIORITY) / 2;
+}
 }
 
 uuid = virXPathString(string(./uuid), ctxt);
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.h
===
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.h
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.h
@@ -36,6 +36,7 @@ typedef ebiptablesRuleInst *ebiptablesRu
 struct _ebiptablesRuleInst {
 char *commandTemplate;
 enum virNWFilterChainSuffixType neededProtocolChain;
+virNWFilterChainPriority chainPriority;
 char chainprefix;/* I for incoming, O for outgoing */
 unsigned int priority;
 enum RuleType ruleType;
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -327,6 +327,7 @@ static int
 ebiptablesAddRuleInst(virNWFilterRuleInstPtr res,
   char *commandTemplate,
   enum virNWFilterChainSuffixType neededChain,
+  virNWFilterChainPriority chainPriority,
   char chainprefix,
   unsigned int priority,
   enum RuleType ruleType)
@@ -340,6 +341,7 @@ ebiptablesAddRuleInst(virNWFilterRuleIns
 
 inst-commandTemplate = commandTemplate;
 inst-neededProtocolChain = neededChain;
+inst-chainPriority = chainPriority;
 inst-chainprefix = chainprefix;
 inst-priority = priority;
 inst-ruleType = ruleType;
@@ -1588,6 +1590,7 @@ _iptablesCreateRuleInstance(int directio
 return ebiptablesAddRuleInst(res,
  virBufferContentAndReset(final),
  nwfilter-chainsuffix,
+ nwfilter-chainPriority,
  '\0',
  rule-priority,
  (isIPv6) ? RT_IP6TABLES : RT_IPTABLES);
@@ -2337,6 +2340,7 @@ ebtablesCreateRuleInstance(char chainPre
 return ebiptablesAddRuleInst(res,
  virBufferContentAndReset(buf),
  

Re: [libvirt] [PATCHv2 01/13] virbuf: fix const-correctness

[Eric Blake]

On 10/17/2011 05:20 AM, Hai Dong Li wrote:

On 09/30/2011 12:22 AM, Eric Blake wrote:

Although the compiler wasn't complaining (since it was the pointer,
rather than what was being pointed to, that was actually const), it
looks quite suspicious to call a function with an argument labeled
const when the nature of the pointer (virBufferPtr) is hidden behind
a typedef. Dropping const makes the function declarations easier
to read.




+++ b/src/util/buf.c
@@ -39,7 +39,7 @@ struct _virBuffer {
* freeing the content and setting the error flag.
*/
static void
-virBufferSetError(const virBufferPtr buf)
+virBufferSetError(virBufferPtr buf)
{
VIR_FREE(buf-content);
buf-size = 0;
@@ -113,7 +113,7 @@ virBufferAdd(const virBufferPtr buf, const char
*str, int len)


Maybe a typo here?The virBufferPtr still remains const, but the
declaration of this function in the buf.h shows this const is removed, too.


No.  Rather, this is an artifact of git diff.  When showing the context 
line for a hunk, it uses the context from the pre-patch file (where the 
'const' was still present), even though the hunk itself applies to the 
post-patch version without 'const'.  Basically, I never worry about the 
@@ lines - they are there as hints for where to apply the patch, and not 
a definitive part of the patch itself.


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH V1 4/6] Use scripting for cleaning and renaming of chains

[Stefan Berger]

Use scripts for the renaming and cleaning up of chains. This allows us to get
rid of some of the code that is only capable of renaming and removing chains
whose names are hardcoded.

A shell function 'collect_chains' is introduced that is given the name
of an ebtables chain and then recursively determines the names of all
chanins that are accessed from this chain and its sub-chains using 'jumps'.

This resulting list of chain names is then used to delete all the found
chains by first flushing and then deleting them.

The same function is also used for renaming temporary filters to their final
names.

I tested this with the bash and dash as script interpreters.

---
 src/nwfilter/nwfilter_ebiptables_driver.c |  189 --
 1 file changed, 102 insertions(+), 87 deletions(-)

Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -91,6 +91,37 @@ static char *gawk_cmd_path;
 #define PRINT_CHAIN(buf, prefix, ifname, suffix) \
 snprintf(buf, sizeof(buf), %c-%s-%s, prefix, ifname, suffix)
 
+#define FUNC_COLLECT_CHAINS \
+collect_chains()\n \
+{\n \
+  local sc\n \
+  sc=$(%s -t %s -L $1 | \\\n \
+   sed -n \/Bridge chain*/,$ s/.*\\-j \\([%s]-.*\\)/\\1/p\)\n \
+  for tmp in `echo \$sc\`; do\n \
+sc=\$sc $(collect_chains $tmp)\\n \
+  done\n \
+  echo \$sc\\n \
+}\n
+
+#define FUNC_DELETE_CHAINS \
+rm_chains()\n \
+{\n \
+  for tmp in `echo \$1\`; do %s -t %s -F $tmp; done\n \
+  for tmp in `echo \$1\`; do %s -t %s -X $tmp; done\n \
+}\n
+
+#define FUNC_RENAME_CHAINS \
+rename_chains()\n \
+{\n \
+  for tmp in `echo \$1\`; do\n \
+tmp2=`expr substr \$tmp\ 1 1`\n \
+if [ $tmp2 = \%c\ ]; then\n \
+%s -t %s -E \$tmp\ \%c\`expr substr \$tmp\ 2 33`\n \
+elif [ $tmp2 = \%c\ ]; then\n \
+%s -t %s -E \$tmp\ \%c\`expr substr \$tmp\ 2 33`\n \
+fi\n \
+  done\n \
+}\n
 
 #define VIRT_IN_CHAIN  libvirt-in
 #define VIRT_OUT_CHAIN libvirt-out
@@ -2805,95 +2836,64 @@ ebtablesCreateTmpSubChain(virBufferPtr b
 return 0;
 }
 
-
-static int
-_ebtablesRemoveSubChain(virBufferPtr buf,
-int incoming,
-const char *ifname,
-enum l3_proto_idx protoidx,
-int isTempChain)
+static int _ebtablesRemoveSubChains(virBufferPtr buf,
+const char *ifname,
+const char *chains)
 {
-char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
-char chainPrefix;
-
-if (isTempChain) {
-chainPrefix =(incoming) ? CHAINPREFIX_HOST_IN_TEMP
-: CHAINPREFIX_HOST_OUT_TEMP;
-} else {
-chainPrefix =(incoming) ? CHAINPREFIX_HOST_IN
-: CHAINPREFIX_HOST_OUT;
-}
+char rootchain[MAX_CHAINNAME_LENGTH];
+unsigned i;
 
-PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
-PRINT_CHAIN(chain, chainPrefix, ifname, l3_protocols[protoidx].val);
-
-virBufferAsprintf(buf,
-  %s -t %s -D %s -p 0x%x -j %s CMD_SEPARATOR
-  %s -t %s -F %s CMD_SEPARATOR
-  %s -t %s -X %s CMD_SEPARATOR,
+virBufferAsprintf(buf, FUNC_COLLECT_CHAINS,
+  ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chains);
+virBufferAsprintf(buf, FUNC_DELETE_CHAINS,
   ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
-  rootchain, l3_protocols[protoidx].attr, chain,
+  ebtables_cmd_path, EBTABLES_DEFAULT_TABLE);
 
-  ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain,
+virBufferAddLit(buf, a=\);
+for (i = 0; chains[i] != 0; i++) {
+PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
+virBufferAsprintf(buf, $(collect_chains %s) , rootchain);
+}
+virBufferAddLit(buf, \\n);
 
-  ebtables_cmd_path, EBTABLES_DEFAULT_TABLE, chain);
+for (i = 0; chains[i] != 0; i++) {
+PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
+virBufferAsprintf(buf,
+  %s -t %s -F %s\n,
+  ebtables_cmd_path, EBTABLES_DEFAULT_TABLE,
+  rootchain);
+}
+virBufferAddLit(buf, rm_chains \$a\\n);
 
 return 0;
 }
 
-
-static int
-ebtablesRemoveSubChain(virBufferPtr buf,
-   int incoming,
-   const char *ifname,
-   enum l3_proto_idx protoidx)
-{
-return _ebtablesRemoveSubChain(buf,
-   incoming, ifname, protoidx, 0);
-}
-
-
 static int
 ebtablesRemoveSubChains(virBufferPtr buf,
 

[libvirt] [PATCH V1 5/6] Use actual name of a chain in data structure

[Stefan Berger]

Use the name of the chain rather than its type index (enum).
This pushes the later enablement of chains with user-given names
into the XML parser. For now we still only allow those names that
are well known ('root', 'arp', 'rarp', 'ipv4' and 'ipv6').


---
 src/conf/nwfilter_conf.c  |   16 
 src/conf/nwfilter_conf.h  |2 +-
 src/nwfilter/nwfilter_ebiptables_driver.c |   13 +++--
 src/nwfilter/nwfilter_ebiptables_driver.h |2 +-
 4 files changed, 21 insertions(+), 12 deletions(-)

Index: libvirt-acl/src/conf/nwfilter_conf.c
===
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -311,6 +311,7 @@ virNWFilterDefFree(virNWFilterDefPtr def
 virNWFilterEntryFree(def-filterEntries[i]);
 
 VIR_FREE(def-filterEntries);
+VIR_FREE(def-chainsuffix);
 
 VIR_FREE(def);
 }
@@ -2031,20 +2032,27 @@ virNWFilterDefParseXML(xmlXPathContextPt
 goto cleanup;
 }
 
-ret-chainsuffix = VIR_NWFILTER_CHAINSUFFIX_ROOT;
 chain = virXPathString(string(./@chain), ctxt);
 if (chain) {
-if ((ret-chainsuffix =
- virNWFilterChainSuffixTypeFromString(chain))  0) {
+if (virNWFilterChainSuffixTypeFromString(chain)  0) {
 virNWFilterReportError(VIR_ERR_INTERNAL_ERROR,
_(unknown chain suffix '%s'), chain);
 goto cleanup;
 }
+ret-chainsuffix = chain;
 /* assign an implicit priority -- support XML attribute later */
 if (intMapGetByString(chain_priorities, chain, 0,
   ret-chainPriority) == false) {
 ret-chainPriority = (MAX_RULE_PRIORITY + MIN_RULE_PRIORITY) / 2;
 }
+chain = NULL;
+} else {
+ret-chainsuffix = strdup(virNWFilterChainSuffixTypeToString(
+  VIR_NWFILTER_CHAINSUFFIX_ROOT));
+if (ret-chainsuffix == NULL) {
+virReportOOMError();
+goto cleanup;
+}
 }
 
 uuid = virXPathString(string(./uuid), ctxt);
@@ -2910,7 +2918,7 @@ virNWFilterDefFormat(virNWFilterDefPtr d
 
 virBufferAsprintf(buf, filter name='%s' chain='%s',
   def-name,
-  virNWFilterChainSuffixTypeToString(def-chainsuffix));
+  def-chainsuffix);
 virBufferAddLit(buf, \n);
 
 virUUIDFormat(def-uuid, uuid);
Index: libvirt-acl/src/conf/nwfilter_conf.h
===
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -444,7 +444,7 @@ struct _virNWFilterDef {
 char *name;
 unsigned char uuid[VIR_UUID_BUFLEN];
 
-int chainsuffix; /*enum virNWFilterChainSuffixType */
+char *chainsuffix;
 virNWFilterChainPriority chainPriority;
 
 int nentries;
Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -357,7 +357,7 @@ ebiptablesRuleInstFree(ebiptablesRuleIns
 static int
 ebiptablesAddRuleInst(virNWFilterRuleInstPtr res,
   char *commandTemplate,
-  enum virNWFilterChainSuffixType neededChain,
+  const char *neededChain,
   virNWFilterChainPriority chainPriority,
   char chainprefix,
   unsigned int priority,
@@ -1933,11 +1933,13 @@ ebtablesCreateRuleInstance(char chainPre
 goto err_exit;
 }
 
-if (nwfilter-chainsuffix == VIR_NWFILTER_CHAINSUFFIX_ROOT)
+if (STREQ(nwfilter-chainsuffix,
+  virNWFilterChainSuffixTypeToString(
+  VIR_NWFILTER_CHAINSUFFIX_ROOT)))
 PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
 else
 PRINT_CHAIN(chain, chainPrefix, ifname,
-virNWFilterChainSuffixTypeToString(nwfilter-chainsuffix));
+nwfilter-chainsuffix);
 
 
 switch (rule-prtclType) {
@@ -2504,7 +2506,7 @@ ebiptablesDisplayRuleInstance(virConnect
 ebiptablesRuleInstPtr inst = (ebiptablesRuleInstPtr)_inst;
 VIR_INFO(Command Template: '%s', Needed protocol: '%s',
  inst-commandTemplate,
- virNWFilterChainSuffixTypeToString(inst-neededProtocolChain));
+ inst-neededProtocolChain);
 return 0;
 }
 
@@ -3432,8 +3434,7 @@ ebiptablesApplyNewRules(virConnectPtr co
 for (i = 0; i  nruleInstances; i++) {
 sa_assert (inst);
 if (inst[i]-ruleType == RT_EBTABLES) {
-const char *name = virNWFilterChainSuffixTypeToString(
-  inst[i]-neededProtocolChain);
+const char *name = inst[i]-neededProtocolChain;
 if 

[libvirt] [PATCH V1 1/6] Extend virHashTable with function to get hash tables keys

[Stefan Berger]

Add a function to the virHashTable for getting an array of the hash table's
keys and have the keys optionally sorted.

---
 src/libvirt_private.syms |3 +
 src/util/hash.c  |   98 +++
 src/util/hash.h  |   14 ++
 3 files changed, 115 insertions(+)

Index: libvirt-acl/src/util/hash.c
===
--- libvirt-acl.orig/src/util/hash.c
+++ libvirt-acl/src/util/hash.c
@@ -618,3 +618,101 @@ void *virHashSearch(virHashTablePtr tabl
 
 return NULL;
 }
+
+
+struct getKeysIter
+{
+virHashTablePtr table;
+void **array;
+virHashKeyValuePair *sortArray;
+unsigned arrayIdx;
+bool error;
+};
+
+static void virHashGetKeysIterator(void *payload,
+   const void *name, void *data)
+{
+struct getKeysIter *iter = data;
+void *key;
+
+if (iter-error)
+return;
+
+key = iter-table-keyCopy(name);
+
+if (key == NULL) {
+virReportOOMError();
+iter-error = true;
+return;
+}
+
+if (iter-sortArray) {
+iter-sortArray[iter-arrayIdx].key = key;
+iter-sortArray[iter-arrayIdx].value = payload;
+} else {
+iter-array[iter-arrayIdx] = iter-table-keyCopy(name);
+}
+iter-arrayIdx++;
+}
+
+void virHashFreeKeys(virHashTablePtr table, void **keys)
+{
+unsigned i = 0;
+
+if (keys == NULL)
+return;
+
+while (keys[i])
+table-keyFree(keys[i++]);
+
+VIR_FREE(keys);
+}
+
+typedef int (*qsort_comp)(const void *, const void *);
+
+void **virHashGetKeys(virHashTablePtr table,
+  virHashKeyComparator compar)
+{
+int i, numElems = virHashSize(table);
+struct getKeysIter iter = {
+.table = table,
+.arrayIdx = 0,
+.error = false,
+};
+
+if (numElems  0) {
+return NULL;
+}
+
+if (VIR_ALLOC_N(iter.array, numElems + 1)) {
+virReportOOMError();
+return NULL;
+}
+
+/* null-terminate array */
+iter.array[numElems] =  NULL;
+
+if (compar 
+VIR_ALLOC_N(iter.sortArray, numElems)) {
+VIR_FREE(iter.array);
+virReportOOMError();
+return NULL;
+}
+
+virHashForEach(table, virHashGetKeysIterator, iter);
+if (iter.error) {
+VIR_FREE(iter.sortArray);
+virHashFreeKeys(table, iter.array);
+return NULL;
+}
+
+if (compar) {
+qsort(iter.sortArray[0], numElems, sizeof(iter.sortArray[0]),
+  (qsort_comp)compar);
+for (i = 0; i  numElems; i++)
+iter.array[i] = iter.sortArray[i].key;
+VIR_FREE(iter.sortArray);
+}
+
+return iter.array;
+}
Index: libvirt-acl/src/util/hash.h
===
--- libvirt-acl.orig/src/util/hash.h
+++ libvirt-acl/src/util/hash.h
@@ -130,6 +130,20 @@ void *virHashLookup(virHashTablePtr tabl
  */
 void *virHashSteal(virHashTablePtr table, const void *name);
 
+/*
+ * Get the set of keys and have them optionally sorted.
+ */
+typedef struct _virHashKeyValuePair virHashKeyValuePair;
+typedef virHashKeyValuePair *virHashKeyValuePairPtr;
+struct _virHashKeyValuePair {
+void *key;
+const void *value;
+};
+typedef int (*virHashKeyComparator)(const virHashKeyValuePairPtr ,
+const virHashKeyValuePairPtr );
+void **virHashGetKeys(virHashTablePtr table, virHashKeyComparator compar);
+void virHashFreeKeys(virHashTablePtr table, void **);
+
 
 /*
  * Iterators
Index: libvirt-acl/src/libvirt_private.syms
===
--- libvirt-acl.orig/src/libvirt_private.syms
+++ libvirt-acl/src/libvirt_private.syms
@@ -552,6 +552,8 @@ virHashAddEntry;
 virHashCreate;
 virHashForEach;
 virHashFree;
+virHashFreeKeys;
+virHashGetKeys;
 virHashLookup;
 virHashRemoveEntry;
 virHashRemoveSet;
@@ -559,6 +561,7 @@ virHashSearch;
 virHashSize;
 virHashSteal;
 virHashTableSize;
+virHashUpdateEntry;
 
 
 # hooks.h

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH V1 3/6] Make filter creation in root table more flexible

[Stefan Berger]

Use the previously introduced chain priorities to sort the chains for access
from the 'root' table and have them created in the proper order. This gets
rid of a lot of code that was previously creating the chains in a  more
hardcoded way.

To detmerine what protocol a filter is used for evaluation do prefix-
matching, i.e., the filter 'arp' is used to filter for the 'arp' protocol,
'ipv4' for the 'ipv4' protocol and 'arp-xyz' will also be used to filter
for the 'arp' protocol.

---
 src/nwfilter/nwfilter_ebiptables_driver.c |  130 ++
 1 file changed, 98 insertions(+), 32 deletions(-)

Index: libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
===
--- libvirt-acl.orig/src/nwfilter/nwfilter_ebiptables_driver.c
+++ libvirt-acl/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2774,6 +2774,7 @@ ebtablesCreateTmpSubChain(virBufferPtr b
   int incoming,
   const char *ifname,
   enum l3_proto_idx protoidx,
+  const char *filtername,
   int stopOnError)
 {
 char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
@@ -2781,7 +2782,8 @@ ebtablesCreateTmpSubChain(virBufferPtr b
   : CHAINPREFIX_HOST_OUT_TEMP;
 
 PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
-PRINT_CHAIN(chain, chainPrefix, ifname, l3_protocols[protoidx].val);
+PRINT_CHAIN(chain, chainPrefix, ifname,
+(filtername) ? filtername : l3_protocols[protoidx].val);
 
 virBufferAsprintf(buf,
   CMD_DEF(%s -t %s -N %s) CMD_SEPARATOR
@@ -3288,6 +3290,13 @@ ebiptablesRuleOrderSort(const void *a, c
 return ((*insta)-priority - (*instb)-priority);
 }
 
+static int
+ebiptablesFilterOrderSort(const virHashKeyValuePairPtr a,
+  const virHashKeyValuePairPtr b)
+{
+return *(virNWFilterChainPriority *)a-value -
+   *(virNWFilterChainPriority *)b-value;
+}
 
 static void
 iptablesCheckBridgeNFCallEnabled(bool isIPv6)
@@ -3327,6 +3336,56 @@ iptablesCheckBridgeNFCallEnabled(bool is
 }
 }
 
+/*
+ * Given a filtername determine the protocol it is used for evaluating
+ * We do prefix-matching to determine the protocol.
+ */
+static enum l3_proto_idx
+ebtablesGetProtoIdxByFiltername(const char *filtername)
+{
+enum l3_proto_idx idx;
+
+for (idx = 0; idx  L3_PROTO_LAST_IDX; idx++) {
+if (STRPREFIX(filtername, l3_protocols[idx].val)) {
+return idx;
+}
+}
+
+return -1;
+}
+
+static int
+ebtablesCreateTmpRootAndSubChains(virBufferPtr buf,
+  const char *ifname,
+  virHashTablePtr chains, int direction)
+{
+int rc = 0, i;
+
+if (virHashSize(chains) != 0) {
+char **filter_names;
+
+ebtablesCreateTmpRootChain(buf, direction, ifname, 1);
+filter_names = (char **)virHashGetKeys(chains,
+   ebiptablesFilterOrderSort);
+if (filter_names == NULL) {
+virReportOOMError();
+rc = 1;
+goto err_exit;
+}
+for (i = 0; filter_names[i]; i++) {
+enum l3_proto_idx idx = ebtablesGetProtoIdxByFiltername(
+  filter_names[i]);
+if ((int)idx  0)
+continue;
+ebtablesCreateTmpSubChain(buf, direction, ifname, idx,
+  filter_names[i], 1);
+}
+virHashFreeKeys(chains, (void **)filter_names);
+}
+
+ err_exit:
+return rc;
+}
 
 static int
 ebiptablesApplyNewRules(virConnectPtr conn ATTRIBUTE_UNUSED,
@@ -3337,24 +3396,43 @@ ebiptablesApplyNewRules(virConnectPtr co
 int i;
 int cli_status;
 ebiptablesRuleInstPtr *inst = (ebiptablesRuleInstPtr *)_inst;
-int chains_in = 0, chains_out = 0;
 virBuffer buf = VIR_BUFFER_INITIALIZER;
+virHashTablePtr chains_in_set  = virHashCreate(10, NULL),
+chains_out_set = virHashCreate(10, NULL);
 bool haveIptables = false;
 bool haveIp6tables = false;
 
+if (!chains_in_set || !chains_out_set) {
+virReportOOMError();
+goto exit_free_sets;
+}
+
 if (nruleInstances  1  inst)
 qsort(inst, nruleInstances, sizeof(inst[0]), ebiptablesRuleOrderSort);
 
+/* scan the rules to see which chains need to be created */
 for (i = 0; i  nruleInstances; i++) {
 sa_assert (inst);
 if (inst[i]-ruleType == RT_EBTABLES) {
-if (inst[i]-chainprefix == CHAINPREFIX_HOST_IN_TEMP)
-chains_in  |= (1  inst[i]-neededProtocolChain);
-else
-chains_out |= (1  inst[i]-neededProtocolChain);
+const char *name = virNWFilterChainSuffixTypeToString(
+  

[libvirt] [PATCH V1 0/6] Make part of inner workings of nwfilters more flexible

[Stefan Berger]

The following series of patches re-does some of the inner workings
of nwfilters with the goal to enable users to write filters that have other
than the system-known chains supported right now ('root','arp','rarp','ipv4'
and 'ipv6'). Ideally users should be able to provide a chain name in the
chains XML attribute and either be able to jump to it as an 'action' or 
have the chain created automatically as it is the case right now for those
chains enumerated before.

I am introducing internal priorities for the chains mentioned above so that
their creation can be made more flexible -- currently their creation and
the order in which they are accessed is hardcoded. This largely does away
with the hardcoded stuff.

Further, filters will be automatically accessed from the (ebtables) 
'root' chain using the prefix of the name of the chain. As an example, this
filter will be accessed from the root chain for 'arp' packets since its
name 'arpmac' has the prefix 'arp'.

filter name='allow-arpmac' chain='arpmac'
  uuid94abeecc-c956-0ac8-1f49-a06ee8995688/uuid
  rule action='accept' direction='out' priority='100'
arp opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/
  /rule
  rule action='accept' direction='inout' priority='500'/
/filter

In the future the chains may have priorities supported in the XML in order to
control the order in which they are accessed.

filter name='allow-arpmac' chain='arpmac' prirotiy='650'
[...]

The series does not enable users yet to provide names of chains but instead
pushes the problem of their later enablement into the XML parser and
prepares the rest of the code to handle it (as far as this can be seen).

I did the testing with the test cases in libvirt-tck and did not see
regressions.

Regards,
Stefan

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH V1 6/6] Example of adding a new filter called arpmac.

[Stefan Berger]

Only as an example show how to add a new 'system filter' called 'arpmac'.
Using 'prefix matching' introduced in previous patches, it generates
a table 'arpmac' that will be jumped into using '-p arp'.

The below patch adds arpmac with a priority of 650, which helps sorting
its entry in the 'root' table.

Since previous code still doesn't allow arbitrary names we still need to
add its name to the virNWFilerChainSuffixType and the list of strings.

This patch would enable the following filter using the 'arpmac' chain.

filter name='allow-arpmac' chain='arpmac'
  uuid94abeecc-c956-0ac8-1f49-a06ee8995688/uuid
  rule action='accept' direction='out' priority='100'
arp opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/
  /rule
  rule action='accept' direction='inout' priority='500'/
/filter

---
 src/conf/nwfilter_conf.c |5 -
 src/conf/nwfilter_conf.h |1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

Index: libvirt-acl/src/conf/nwfilter_conf.c
===
--- libvirt-acl.orig/src/conf/nwfilter_conf.c
+++ libvirt-acl/src/conf/nwfilter_conf.c
@@ -81,7 +81,8 @@ VIR_ENUM_IMPL(virNWFilterChainSuffix, VI
   arp,
   rarp,
   ipv4,
-  ipv6);
+  ipv6,
+  arpmac);
 
 VIR_ENUM_IMPL(virNWFilterRuleProtocol, VIR_NWFILTER_RULE_PROTOCOL_LAST,
   none,
@@ -124,6 +125,7 @@ struct int_map {
 #define NWFILTER_IPV4_FILTER_PRI 200
 #define NWFILTER_IPV6_FILTER_PRI 400
 #define NWFILTER_ARP_FILTER_PRI  600
+#define NWFILTER_ARPMAC_FILTER_PRI 650
 #define NWFILTER_RARP_FILTER_PRI 800
 
 static const struct int_map chain_priorities[] = {
@@ -132,6 +134,7 @@ static const struct int_map chain_priori
 INTMAP_ENTRY(NWFILTER_IPV6_FILTER_PRI, ipv6),
 INTMAP_ENTRY(NWFILTER_ARP_FILTER_PRI , arp ),
 INTMAP_ENTRY(NWFILTER_RARP_FILTER_PRI, rarp),
+INTMAP_ENTRY(NWFILTER_ARPMAC_FILTER_PRI, arpmac),
 INTMAP_ENTRY_LAST,
 };
 
Index: libvirt-acl/src/conf/nwfilter_conf.h
===
--- libvirt-acl.orig/src/conf/nwfilter_conf.h
+++ libvirt-acl/src/conf/nwfilter_conf.h
@@ -431,6 +431,7 @@ enum virNWFilterChainSuffixType {
 VIR_NWFILTER_CHAINSUFFIX_RARP,
 VIR_NWFILTER_CHAINSUFFIX_IPv4,
 VIR_NWFILTER_CHAINSUFFIX_IPv6,
+VIR_NWFILTER_CHAINSUFFIX_ARPMAC,
 
 VIR_NWFILTER_CHAINSUFFIX_LAST,
 };

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH] Fix two comments related to error handling

[Philipp Hahn]

Signed-off-by: Philipp Hahn h...@univention.de
---
 include/libvirt/virterror.h |2 +-
 python/libvirt-override.py  |2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/libvirt/virterror.h b/include/libvirt/virterror.h
index dfbe2bc..a8549b7 100644
--- a/include/libvirt/virterror.h
+++ b/include/libvirt/virterror.h
@@ -206,7 +206,7 @@ typedef enum {
 VIR_ERR_INVALID_STORAGE_VOL = 47,  /* invalid storage vol object */
 VIR_WAR_NO_STORAGE = 48,   /* failed to start storage */
 VIR_ERR_NO_STORAGE_POOL = 49,  /* storage pool not found */
-VIR_ERR_NO_STORAGE_VOL = 50,   /* storage pool not found */
+VIR_ERR_NO_STORAGE_VOL = 50,   /* storage volume not found */
 VIR_WAR_NO_NODE = 51,  /* failed to start node driver */
 VIR_ERR_INVALID_NODE_DEVICE = 52,  /* invalid node device object */
 VIR_ERR_NO_NODE_DEVICE = 53,   /* node device not found */
diff --git a/python/libvirt-override.py b/python/libvirt-override.py
index 387fddf..8427eab 100644
--- a/python/libvirt-override.py
+++ b/python/libvirt-override.py
@@ -79,7 +79,7 @@ class libvirtError(Exception):
 # register the libvirt global error handler
 #
 def registerErrorHandler(f, ctx):
-Register a Python written function to for error reporting.
+Register a Python function for error reporting.
The function is called back as f(ctx, error), with error
being a list of information about the error being raised.
Returns 1 in case of success.
-- 
1.7.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] Fix two comments related to error handling

[Peter Krempa]

On 10/17/2011 05:02 PM, Philipp Hahn wrote:

Signed-off-by: Philipp Hahnh...@univention.de
---
  include/libvirt/virterror.h |2 +-
  python/libvirt-override.py  |2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)

ACK and pushed.

Peter

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] Compiler warnings

[Alex Jia]

Hi all,
I meet the following compiler warnings today:
..
  CC libvirt_util_la-buf.lo
util/buf.c: In function 'virBufferEscape':
util/buf.c:430: warning: logical '' with non-zero constant will always
evaluate as true [-Wlogical-op]
  CC libvirt_util_la-command.lo
..
  CC libvirt_lxc-buf.o
util/buf.c: In function 'virBufferEscape':
util/buf.c:430: warning: logical '' with non-zero constant will always
evaluate as true [-Wlogical-op]
  CC libvirt_lxc-command.o
..

Has anybody the same experience?

Thanks,
Alex


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] Compiler warnings

[Eric Blake]

On 10/17/2011 09:35 AM, Alex Jia wrote:

Hi all,
I meet the following compiler warnings today:
..
   CC libvirt_util_la-buf.lo
util/buf.c: In function 'virBufferEscape':
util/buf.c:430: warning: logical '' with non-zero constant will always
evaluate as true [-Wlogical-op]


Which version of gcc?



Has anybody the same experience?


Not with gcc 4.5.1 (Fedora 14), but not the first time that newer gcc 
has become smarter.  I'll patch it if I can reproduce it (I'll try a 
rawhide build shortly).


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 03/10] reverse sense of address matching

[Stefan Berger]

On 10/12/2011 03:50 PM, David L Stevens wrote:

This patch changes rules of the form:

if ! addr drop
 accept
to:
if addr return
...
drop

The patch adds a mac chain to do a mac address list and separates the arp
chain into separate arpmac and arpip chains that can check multiple MAC
or IP addresses in any combination. This patch itself does not support multiple
addresses via the MAC and IP variables, but only changes the form of the rules
to allow multiple addresses in the future.

Signed-off-by: David L Stevensdlstev...@us.ibm.com
---
  examples/xml/nwfilter/Makefile.am |4 ++
  examples/xml/nwfilter/allow-arp.xml   |5 ++-
  examples/xml/nwfilter/allow-arpip.xml |3 ++
  examples/xml/nwfilter/allow-arpmac.xml|3 ++
  examples/xml/nwfilter/clean-traffic.xml   |6 ++--
  examples/xml/nwfilter/no-arp-spoofing.xml |   19 ++
  examples/xml/nwfilter/no-arpip-spoofing.xml   |   12 ++
  examples/xml/nwfilter/no-arpmac-spoofing.xml  |7 
  examples/xml/nwfilter/no-ip-spoofing.xml  |6 ++-
  examples/xml/nwfilter/no-mac-spoofing.xml |   12 --
  examples/xml/nwfilter/no-other-l2-traffic.xml |   13 +--
  src/conf/nwfilter_conf.c  |4 ++-
  src/conf/nwfilter_conf.h  |4 ++-
  src/nwfilter/nwfilter_ebiptables_driver.c |   48 +---
  14 files changed, 99 insertions(+), 47 deletions(-)
  create mode 100644 examples/xml/nwfilter/allow-arpip.xml
  create mode 100644 examples/xml/nwfilter/allow-arpmac.xml
  create mode 100644 examples/xml/nwfilter/no-arpip-spoofing.xml
  create mode 100644 examples/xml/nwfilter/no-arpmac-spoofing.xml

diff --git a/examples/xml/nwfilter/Makefile.am 
b/examples/xml/nwfilter/Makefile.am
index 23fd753..84aaa3c 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -3,12 +3,16 @@

  FILTERS = \
allow-arp.xml \
+   allow-arpip.xml \
+   allow-arpmac.xml \
allow-dhcp-server.xml \
allow-dhcp.xml \
allow-incoming-ipv4.xml \
allow-ipv4.xml \
clean-traffic.xml \
no-arp-spoofing.xml \
+   no-arpmac-spoofing.xml \
+   no-arpip-spoofing.xml \
no-ip-multicast.xml \
no-ip-spoofing.xml \
no-mac-broadcast.xml \
diff --git a/examples/xml/nwfilter/allow-arp.xml 
b/examples/xml/nwfilter/allow-arp.xml
index 63a92b2..6271ae4 100644
--- a/examples/xml/nwfilter/allow-arp.xml
+++ b/examples/xml/nwfilter/allow-arp.xml
@@ -1,3 +1,4 @@
-filter name='allow-arp' chain='arp'
-rule direction='inout' action='accept'/
+filter name='allow-arp' chain='arpmac'
+filterref filter='allow-arpmac.xml'/
+filterref filter='allow-arpip.xml'/
  /filter
diff --git a/examples/xml/nwfilter/allow-arpip.xml 
b/examples/xml/nwfilter/allow-arpip.xml
new file mode 100644
index 000..6ddb6fe
--- /dev/null
+++ b/examples/xml/nwfilter/allow-arpip.xml
@@ -0,0 +1,3 @@
+filter name='allow-arpip' chain='arpip'
+rule direction='inout' action='accept'/
+/filter
diff --git a/examples/xml/nwfilter/allow-arpmac.xml 
b/examples/xml/nwfilter/allow-arpmac.xml
new file mode 100644
index 000..54f6714
--- /dev/null
+++ b/examples/xml/nwfilter/allow-arpmac.xml
@@ -0,0 +1,3 @@
+filter name='allow-arpmac' chain='arpmac'
+rule direction='inout' action='accept'/
+/filter
diff --git a/examples/xml/nwfilter/clean-traffic.xml 
b/examples/xml/nwfilter/clean-traffic.xml
index 40f0ecb..9cee799 100644
--- a/examples/xml/nwfilter/clean-traffic.xml
+++ b/examples/xml/nwfilter/clean-traffic.xml
@@ -11,10 +11,10 @@
 !-- preventing ARP spoofing/poisoning --
 filterref filter='no-arp-spoofing'/

-!-- preventing any other traffic than IPv4 and ARP --
-filterref filter='no-other-l2-traffic'/
-
 !-- allow qemu to send a self-announce upon migration end --
 filterref filter='qemu-announce-self'/

+!-- preventing any other traffic than IPv4 and ARP --
+filterref filter='no-other-l2-traffic'/
+
  /filter
diff --git a/examples/xml/nwfilter/no-arp-spoofing.xml 
b/examples/xml/nwfilter/no-arp-spoofing.xml
index 3c83acd..1979b20 100644
--- a/examples/xml/nwfilter/no-arp-spoofing.xml
+++ b/examples/xml/nwfilter/no-arp-spoofing.xml
@@ -1,17 +1,4 @@
-filter name='no-arp-spoofing' chain='arp'
-uuidf88f1932-debf-4aa1-9fbe-f10d3aa4bc95/uuid
-rule action='drop' direction='out' priority='300'
-mac match='no' srcmacaddr='$MAC'/
-/rule
-
-!-- no arp spoofing --
-!-- drop if ipaddr or macaddr does not belong to guest --
-rule action='drop' direction='out' priority='350'
-arp match='no' arpsrcmacaddr='$MAC'/
-/rule
-rule action='drop' direction='out' priority='400'
-arp match='no' arpsrcipaddr='$IP' /
-/rule
-!-- allow everything else --
-rule action='accept' direction='in' priority='425' /
+filter name='no-arp-spoofing'
+filterref filter='no-arpmac-spoofing' /
+filterref filter='no-arpip-spoofing' /
  /filter
diff --git 

Re: [libvirt] Compiler warnings

[Alex Jia]

Eric,
# rpm -q gcc
gcc-4.4.6-3.el6.x86_64

Regards,
Alex

- Original Message -
From: Eric Blake ebl...@redhat.com
To: Alex Jia a...@redhat.com
Cc: libvir-list@redhat.com
Sent: Monday, October 17, 2011 11:38:50 PM
Subject: Re: [libvirt]  Compiler warnings

On 10/17/2011 09:35 AM, Alex Jia wrote:
 Hi all,
 I meet the following compiler warnings today:
 ..
CC libvirt_util_la-buf.lo
 util/buf.c: In function 'virBufferEscape':
 util/buf.c:430: warning: logical '' with non-zero constant will always
 evaluate as true [-Wlogical-op]

Which version of gcc?


 Has anybody the same experience?

Not with gcc 4.5.1 (Fedora 14), but not the first time that newer gcc 
has become smarter.  I'll patch it if I can reproduce it (I'll try a 
rawhide build shortly).

-- 
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

[Stefan Berger]

On 10/12/2011 03:50 PM, David L Stevens wrote:

This patch simplifies the table rules by setting the protocol chains
policy to be DROP and removes the explicit -j DROP entries that the
protocol rules had previously. It also makes no-other-rarp-traffic.xml
obsolete.
I agree with Daniel's previous comments that this could introduce 
compatibility problems. It would be best not to change it or if really 
need be later on introduce an XML attribute for a chain that allows to 
choose whether the default policy is accept or drop.


 Stefan


Signed-off-by: David L Stevensdlstev...@us.ibm.com
---
  examples/xml/nwfilter/Makefile.am   |1 -
  examples/xml/nwfilter/no-arpip-spoofing.xml |2 --
  examples/xml/nwfilter/no-arpmac-spoofing.xml|2 --
  examples/xml/nwfilter/no-ip-spoofing.xml|2 --
  examples/xml/nwfilter/no-mac-spoofing.xml   |2 --
  examples/xml/nwfilter/no-other-rarp-traffic.xml |3 ---
  examples/xml/nwfilter/qemu-announce-self.xml|1 -
  src/nwfilter/nwfilter_ebiptables_driver.c   |   11 +--
  8 files changed, 1 insertions(+), 23 deletions(-)
  delete mode 100644 examples/xml/nwfilter/no-other-rarp-traffic.xml

diff --git a/examples/xml/nwfilter/Makefile.am 
b/examples/xml/nwfilter/Makefile.am
index 84aaa3c..67085fa 100644
--- a/examples/xml/nwfilter/Makefile.am
+++ b/examples/xml/nwfilter/Makefile.am
@@ -18,7 +18,6 @@ FILTERS = \
no-mac-broadcast.xml \
no-mac-spoofing.xml \
no-other-l2-traffic.xml \
-   no-other-rarp-traffic.xml \
qemu-announce-self.xml \
qemu-announce-self-rarp.xml

diff --git a/examples/xml/nwfilter/no-arpip-spoofing.xml 
b/examples/xml/nwfilter/no-arpip-spoofing.xml
index ee42d40..7ef6f0f 100644
--- a/examples/xml/nwfilter/no-arpip-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpip-spoofing.xml
@@ -7,6 +7,4 @@
 rule action='return' direction='out' priority='410'
 arp match='yes' arpsrcipaddr='0.0.0.0' /
 /rule
-!-- drop everything else --
-rule action='drop' direction='out' priority='1000' /
  /filter
diff --git a/examples/xml/nwfilter/no-arpmac-spoofing.xml 
b/examples/xml/nwfilter/no-arpmac-spoofing.xml
index 90499d3..3834047 100644
--- a/examples/xml/nwfilter/no-arpmac-spoofing.xml
+++ b/examples/xml/nwfilter/no-arpmac-spoofing.xml
@@ -2,6 +2,4 @@
 rule action='return' direction='out' priority='350'
 arp match='yes' arpsrcmacaddr='$MAC'/
 /rule
-!-- drop everything else --
-rule action='drop' direction='out' priority='1000' /
  /filter
diff --git a/examples/xml/nwfilter/no-ip-spoofing.xml 
b/examples/xml/nwfilter/no-ip-spoofing.xml
index 84e8a5e..2fccd12 100644
--- a/examples/xml/nwfilter/no-ip-spoofing.xml
+++ b/examples/xml/nwfilter/no-ip-spoofing.xml
@@ -4,6 +4,4 @@
  rule action='return' direction='out'
  ip match='yes' srcipaddr='$IP' /
  /rule
-!-- drop any that don't match the source IP list --
-rule action='drop' direction='out' /
  /filter
diff --git a/examples/xml/nwfilter/no-mac-spoofing.xml 
b/examples/xml/nwfilter/no-mac-spoofing.xml
index aee56c7..e2e8c03 100644
--- a/examples/xml/nwfilter/no-mac-spoofing.xml
+++ b/examples/xml/nwfilter/no-mac-spoofing.xml
@@ -4,6 +4,4 @@
 rule action='return' direction='out' priority='350'
 mac match='yes' srcmacaddr='$MAC'/
 /rule
-!-- drop everything else --
-rule action='drop' direction='out' priority='1000' /
  /filter
diff --git a/examples/xml/nwfilter/no-other-rarp-traffic.xml 
b/examples/xml/nwfilter/no-other-rarp-traffic.xml
deleted file mode 100644
index 7729996..000
--- a/examples/xml/nwfilter/no-other-rarp-traffic.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-filter name='no-other-rarp-traffic' chain='rarp'
-rule action='drop' direction='inout' priority='1000'/
-/filter
diff --git a/examples/xml/nwfilter/qemu-announce-self.xml 
b/examples/xml/nwfilter/qemu-announce-self.xml
index 352db50..12957b5 100644
--- a/examples/xml/nwfilter/qemu-announce-self.xml
+++ b/examples/xml/nwfilter/qemu-announce-self.xml
@@ -8,6 +8,5 @@

  !-- accept if it was changed to rarp --
  filterref filter='qemu-announce-self-rarp'/
-filterref filter='no-other-rarp-traffic'/

  /filter
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c 
b/src/nwfilter/nwfilter_ebiptables_driver.c
index 3c6fca7..e6a4880 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2791,7 +2791,7 @@ ebtablesCreateTmpSubChain(virBufferPtr buf,
  protostr[0] = '\0';

  virBufferAsprintf(buf,
-  CMD_DEF(%s -t %s -N %s) CMD_SEPARATOR
+  CMD_DEF(%s -t %s -N %s -P DROP) CMD_SEPARATOR
CMD_EXEC
%s
CMD_DEF(%s -t %s -A %s %s -j %s) CMD_SEPARATOR
@@ -3015,15 +3015,6 @@ ebtablesApplyBasicRules(const char *ifname,

  PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
  virBufferAsprintf(buf,
-  

Re: [libvirt] [PATCH] Fix VPATH build

[Eric Blake]

On 10/17/2011 09:54 AM, Jiri Denemark wrote:

probes.h is generated in build directory; setting a dependency on
probes.h from source directory doesn't work well in VPATH builds. Caused
by commit 1afcfbdda0cac112faa61f74ec943e46aa43f2f5
---
  src/Makefile.am |2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 510e5ef..87d91ed 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -191,7 +191,7 @@ REMOTE_DRIVER_GENERATED = \

  # The remote RPC driver needs probes.h
  if WITH_DTRACE
-REMOTE_DRIVER_GENERATED += $(srcdir)/probes.h
+REMOTE_DRIVER_GENERATED += probes.h


ACK.  probes.h is part of BUILT_SOURCES, which means it is not part of 
the tarball, which means that it does not have to be in the source 
directory.


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH] qemu: avoid dereferencing a NULL pointer

[ajia]

From: Alex Jia a...@redhat.com

* src/qemu/qemu_hostdev.c: function 'pciDeviceListFind' probably explicitly
  returns null, however, the function 'pciDeviceSetUsedBy' directly uses it
  without any judgement.

Signed-off-by: Alex Jia a...@redhat.com
---
 src/qemu/qemu_hostdev.c |5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_hostdev.c b/src/qemu/qemu_hostdev.c
index c65f6f5..4e148b0 100644
--- a/src/qemu/qemu_hostdev.c
+++ b/src/qemu/qemu_hostdev.c
@@ -227,9 +227,8 @@ int qemuPrepareHostdevPCIDevices(struct qemud_driver 
*driver,
 pciDevice *dev, *activeDev;
 
 dev = pciDeviceListGet(pcidevs, i);
-activeDev = pciDeviceListFind(driver-activePciHostdevs, dev);
-
-pciDeviceSetUsedBy(activeDev, name);
+if ((activeDev = pciDeviceListFind(driver-activePciHostdevs, dev)))
+pciDeviceSetUsedBy(activeDev, name);
 }
 
 /* Loop 6: Now steal all the devices from pcidevs */
-- 
1.7.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] Compiler warnings

[Eric Blake]

On 10/17/2011 09:51 AM, Alex Jia wrote:

Eric,
# rpm -q gcc
gcc-4.4.6-3.el6.x86_64


I'm still not seeing it on my RHEL 6 host.  What version of glibc (in 
case it's a header problem), and is this the latest libvirt.git or a 
particular source rpm rebuild?  What's on line 430 of the file in question?



CC libvirt_util_la-buf.lo
util/buf.c: In function 'virBufferEscape':
util/buf.c:430: warning: logical '' with non-zero constant will always
evaluate as true [-Wlogical-op]


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

[Stefan Berger]

On 10/12/2011 03:50 PM, David L Stevens wrote:

This patch adds the internal capability to add rules to existing
chains instead of using temporary chains and to generate placeholders for
chains that are referenced without generating a rule for them immediately.
Finally, it includes variable matching for filter instantiation
(i.e., instantiate only when a given variable is present in a filter, or
only when it is not).

Following the above I am not sure what this will be used for as part of 
this extension.



Signed-off-by: David L Stevensdlstev...@us.ibm.com
---
  src/conf/nwfilter_conf.h  |4 +-
  src/nwfilter/nwfilter_ebiptables_driver.c |   93 +
  src/nwfilter/nwfilter_gentech_driver.c|   32 +-
  3 files changed, 100 insertions(+), 29 deletions(-)

diff --git a/src/conf/nwfilter_conf.h b/src/conf/nwfilter_conf.h
index 17e954e..4348378 100644
--- a/src/conf/nwfilter_conf.h
+++ b/src/conf/nwfilter_conf.h
@@ -525,7 +525,9 @@ typedef int (*virNWFilterRuleCreateInstance)(virConnectPtr 
conn,
   virNWFilterRuleDefPtr rule,
   const char *ifname,
   virNWFilterHashTablePtr vars,
- virNWFilterRuleInstPtr res);
+ virNWFilterRuleInstPtr res,
+ bool usetemp,
+ bool dummy);

  typedef int (*virNWFilterRuleApplyNewRules)(virConnectPtr conn,
  const char *ifname,
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c 
b/src/nwfilter/nwfilter_ebiptables_driver.c
index e6a4880..918625c 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -1136,6 +1136,7 @@ iptablesEnforceDirection(int directionIn,
   * @isIPv6 : Whether this is an IPv6 rule
   * @maySkipICMP : whether this rule may under certain circumstances skip
   *   the ICMP rule from being created
+ * @dummy : generate rule placeholder without installing
   *
   * Convert a single rule into its representation for later instantiation
   *
@@ -1154,7 +1155,8 @@ _iptablesCreateRuleInstance(int directionIn,
  const char *match, bool defMatch,
  const char *accept_target,
  bool isIPv6,
-bool maySkipICMP)
+bool maySkipICMP,
+bool dummy)
  {
  char chain[MAX_CHAINNAME_LENGTH];
  char number[20];
@@ -1181,6 +1183,13 @@ _iptablesCreateRuleInstance(int directionIn,

  PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);

+if (dummy) {
+virBufferAsprintf(buf, CMD_DEF_PRE %s -- %s -%%c %s %%s,
+  echo, iptables_cmd, chain);
+bufUsed = virBufferUse(buf);
+goto prskip;
+}
+
  switch (rule-prtclType) {
  case VIR_NWFILTER_RULE_PROTOCOL_TCP:
  case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
@@ -1521,6 +1530,8 @@ _iptablesCreateRuleInstance(int directionIn,
  return -1;
  }

+prskip:
+
  if ((srcMacSkipped  bufUsed == virBufferUse(buf)) ||
   skipRule) {
  virBufferFreeAndReset(buf);
@@ -1636,7 +1647,9 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
  const char *ifname,
  virNWFilterHashTablePtr vars,
  virNWFilterRuleInstPtr res,
-bool isIPv6)
+bool isIPv6,
+bool usetemp,
+bool dummy)
  {
  int rc;
  int directionIn = 0;
@@ -1668,7 +1681,7 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
  return 1;
  }

-chainPrefix[1] = CHAINPREFIX_HOST_IN_TEMP;
+chainPrefix[1] = usetemp ? CHAINPREFIX_HOST_IN_TEMP : CHAINPREFIX_HOST_IN;
  if (create) {
  rc = _iptablesCreateRuleInstance(directionIn,
   chainPrefix,
@@ -1680,7 +1693,8 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
   matchState, false,
   RETURN,
   isIPv6,
- maySkipICMP);
+ maySkipICMP,
+ dummy);

  VIR_FREE(matchState);
  if (rc)
@@ -1700,7 +1714,8 @@ iptablesCreateRuleInstanceStateCtrl(virNWFilterDefPtr 
nwfilter,
  return 1;
  }

-chainPrefix[1] = CHAINPREFIX_HOST_OUT_TEMP;
+chainPrefix[1] = usetemp ? 

Re: [libvirt] Compiler warnings

[Alex Jia]

Eric,
It's latest libvirt upstream, current commit id is commit 0a71c79.

# rpm -q glibc
glibc-2.12-1.42.el6.x86_64

399 void
400 virBufferEscape(const virBufferPtr buf,
401 const char *toescape,
402 const char *format,
403 const char *str)
404 {
.

427 cur = str;
428 out = escaped;
429 while (*cur != 0) {
430 if (strchr(toescape, *cur))
431 *out++ = '\\';
432 *out++ = *cur;
433 cur++;
434 }

..


Regards,
Alex



- Original Message -
From: Eric Blake ebl...@redhat.com
To: Alex Jia a...@redhat.com
Cc: libvir-list@redhat.com
Sent: Tuesday, October 18, 2011 12:11:19 AM
Subject: Re: [libvirt]  Compiler warnings

On 10/17/2011 09:51 AM, Alex Jia wrote:
 Eric,
 # rpm -q gcc
 gcc-4.4.6-3.el6.x86_64

I'm still not seeing it on my RHEL 6 host.  What version of glibc (in 
case it's a header problem), and is this the latest libvirt.git or a 
particular source rpm rebuild?  What's on line 430 of the file in question?

 CC libvirt_util_la-buf.lo
 util/buf.c: In function 'virBufferEscape':
 util/buf.c:430: warning: logical '' with non-zero constant will always
 evaluate as true [-Wlogical-op]

-- 
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] qemu: avoid dereferencing a NULL pointer

[Eric Blake]

On 10/17/2011 10:09 AM, a...@redhat.com wrote:

From: Alex Jiaa...@redhat.com

* src/qemu/qemu_hostdev.c: function 'pciDeviceListFind' probably explicitly
   returns null, however, the function 'pciDeviceSetUsedBy' directly uses it
   without any judgement.

Signed-off-by: Alex Jiaa...@redhat.com
---
  src/qemu/qemu_hostdev.c |5 ++---
  1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_hostdev.c b/src/qemu/qemu_hostdev.c
index c65f6f5..4e148b0 100644
--- a/src/qemu/qemu_hostdev.c
+++ b/src/qemu/qemu_hostdev.c
@@ -227,9 +227,8 @@ int qemuPrepareHostdevPCIDevices(struct qemud_driver 
*driver,
  pciDevice *dev, *activeDev;

  dev = pciDeviceListGet(pcidevs, i);
-activeDev = pciDeviceListFind(driver-activePciHostdevs, dev);
-
-pciDeviceSetUsedBy(activeDev, name);
+if ((activeDev = pciDeviceListFind(driver-activePciHostdevs, dev)))
+pciDeviceSetUsedBy(activeDev, name);


False positive.  Just a few lines earlier, in loop 4, we guaranteed that 
dev was added to driver-activePciHostdevs, therefore, activeDev cannot 
be NULL here.


That said, we could probably simplify things by consolidating loop 5 and 
6 into one, and in the process of that simplification, silence the 
spurious warning from the static analyzer.


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH] Fix virt-sanlock-cleanup documentation

[Philipp Hahn]

The referenced page does not exist, but locking.html has a section about
sanlock.

Signed-off-by: Philipp Hahn h...@univention.de
---
 tools/virt-sanlock-cleanup.in |6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/virt-sanlock-cleanup.in b/tools/virt-sanlock-cleanup.in
index 72cd5e0..e143e7d 100644
--- a/tools/virt-sanlock-cleanup.in
+++ b/tools/virt-sanlock-cleanup.in
@@ -64,8 +64,8 @@ active.
 
 =head1 EXIT STATUS
 
-Upon successful processing of leases cleanup, the exit status
-will be 0 will be set. Upon fatal error a non-zero status will
+Upon successful processing of leases cleanup, an exit status
+of 0 will be set. Upon fatal error a non-zero status will
 be set.
 
 =head1 AUTHOR
@@ -91,6 +91,6 @@ PURPOSE
 
 =head1 SEE ALSO
 
-Cvirsh(1), online instructions Chttp://libvirt.org/locksanlock.html
+Cvirsh(1), online instructions Chttp://libvirt.org/locking.html
 
 =cut
-- 
1.7.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 07/10] support variable value changing

[Stefan Berger]

On 10/12/2011 03:50 PM, David L Stevens wrote:

This patch adds a function that applies or deletes filter rules to existing
chains. Rules referencing the given variable are instantiated with the given
value, or optionally deleted. For example, passing variable IP with different
values will install rules using the IP variable with each of the different
values. These rules can later be removed by calling this function with the
same variable and value and delete argument set to 1.

Signed-off-by: David L Stevensdlstev...@us.ibm.com
---
  src/nwfilter/nwfilter_gentech_driver.c |   86 
  src/nwfilter/nwfilter_gentech_driver.h |   11 
  2 files changed, 97 insertions(+), 0 deletions(-)

diff --git a/src/nwfilter/nwfilter_gentech_driver.c 
b/src/nwfilter/nwfilter_gentech_driver.c
index 79350ac..563a1f3 100644
--- a/src/nwfilter/nwfilter_gentech_driver.c
+++ b/src/nwfilter/nwfilter_gentech_driver.c
@@ -620,6 +620,92 @@ virNWFilterRuleInstancesToArray(int nEntries,


  /**
+ * virNWFilterChangeVar:
+ * @conn: pointer to virConnect object
+ * @techdriver: The driver to use for instantiation
+ * @filter: The filter to instantiate
+ * @ifname: The name of the interface to apply the rules to
+ * @vars: A map holding variable names and values used for instantiating
+ *  the filter and its subfilters.
+ * @var: name of variable to change
+ * @value: value of variable to change
+ * @delete: =0 to create or =1 to delete the rules
+ *
+ * Returns 0 on success, a value otherwise.
+ *
+ * Instantiate or delete a filter and all subfilters with variable var
+ * set to value value.
+ * The name of the interface to which the rules belong must be
+ * provided.
+ *
+ * Call this function while holding the NWFilter filter update lock
+ */
+int
+virNWFilterChangeVar(virConnectPtr conn,
+virNWFilterTechDriverPtr techdriver,
+enum virDomainNetType nettype,
+virNWFilterDefPtr filter,
+const char *ifname,
+virNWFilterHashTablePtr vars,
+virNWFilterDriverStatePtr driver,
+const char *var,
+char *value,
+bool delete)
+{
+int rc;
+int j, nptrs;
+int nEntries = 0;
+virNWFilterRuleInstPtr *insts = NULL;
+void **ptrs = NULL;
+bool foundNewFilter = 0;
+
+if (virNWFilterHashTablePut(vars, var, value, 1)) {
+virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, _(Cound not add 
+   variable \%s\ to hashmap), var);
+return 1;
+}
+rc = _virNWFilterInstantiateRec(conn,
+techdriver,
+nettype,
+filter,
+ifname,
+vars,
+NWFILTER_STD_VAR_IP, 0,
+nEntries,insts,
+INSTANTIATE_ALWAYS,foundNewFilter,
+driver);

Given the NWFILTER_STD_VAR_IP parameter, what does it give us at this point?

+ if (rc)
+ goto err_exit;
+ rc = virNWFilterRuleInstancesToArray(nEntries, insts,ptrs,nptrs);
+ if (rc)
+ goto err_exit;
+
+if (virNWFilterHashTableRemoveEntry(vars, var)  0) {
+virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, _(Could not remove 
+   variable \%s\ from hashmap), var);
+return 1;
+}
+
+if (virNWFilterLockIface(ifname))
+ goto err_exit;
+
+ if (delete)
+ rc = techdriver-removeRules(conn, ifname, nptrs, ptrs);
+ else
+ rc = techdriver-addRules(conn, ifname, nptrs, ptrs);
I am wondering about this addRules() and whether the rules are being 
added to the end of a chain and thus the rules' assumed priority would 
have to be such that these rules can actually always be the last ones?



+ virNWFilterUnlockIface(ifname);
+ VIR_FREE(ptrs);
+
+err_exit:
+
+for (j = 0; j  nEntries; j++)
+ virNWFilterRuleInstFree(insts[j]);
+VIR_FREE(insts);
+return rc;
+}
+
+
+/**
   * virNWFilterInstantiate:
   * @conn: pointer to virConnect object
   * @techdriver: The driver to use for instantiation
diff --git a/src/nwfilter/nwfilter_gentech_driver.h 
b/src/nwfilter/nwfilter_gentech_driver.h
index fa86030..34e95c7 100644
--- a/src/nwfilter/nwfilter_gentech_driver.h
+++ b/src/nwfilter/nwfilter_gentech_driver.h
@@ -48,6 +48,17 @@ int virNWFilterRollbackUpdateFilter(virConnectPtr conn,
  int virNWFilterTearOldFilter(virConnectPtr conn,
   const virDomainNetDefPtr net);

+int virNWFilterChangeVar(virConnectPtr conn,
+virNWFilterTechDriverPtr techdriver,
+enum virDomainNetType nettype,
+virNWFilterDefPtr filter,
+const char *ifname,
+

Re: [libvirt] [PATCH] qemu: avoid dereferencing a NULL pointer

[Alex Jia]

- Original Message -
From: Eric Blake ebl...@redhat.com

False positive.  Just a few lines earlier, in loop 4, we guaranteed that 
dev was added to driver-activePciHostdevs, therefore, activeDev cannot 
be NULL here.

That said, we could probably simplify things by consolidating loop 5 and 
6 into one, and in the process of that simplification, silence the
 it should consolidate loop 4 and loop 5 into one :-)however, loop 6 steps
 are a clear design if don't consider Coverity complains.

Alex

spurious warning from the static analyzer.

-- 
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 09/10] add leasefile support

[Stefan Berger]

On 10/12/2011 03:50 PM, David L Stevens wrote:

This patch adds support for saving DHCP snooping leases to an on-disk
file and restoring saved leases that are still active on restart.

Signed-off-by: David L Stevensdlstev...@us.ibm.com
---
  src/nwfilter/nwfilter_dhcpsnoop.c |  370 +++--
  1 files changed, 353 insertions(+), 17 deletions(-)

diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c 
b/src/nwfilter/nwfilter_dhcpsnoop.c
index f784a29..eedf550 100644
--- a/src/nwfilter/nwfilter_dhcpsnoop.c
+++ b/src/nwfilter/nwfilter_dhcpsnoop.c
@@ -56,10 +56,21 @@
  #include nwfilter_gentech_driver.h
  #include nwfilter_ebiptables_driver.h
  #include nwfilter_dhcpsnoop.h
+#include configmake.h

  #define VIR_FROM_THIS VIR_FROM_NWFILTER

+#define LEASEFILE LOCALSTATEDIR /run/libvirt/network/nwfilter.leases
+#define TMPLEASEFILE LOCALSTATEDIR /run/libvirt/network/nwfilter.ltmp
+static int lease_fd = -1;
+static int nleases = 0; /* number of active leases */
+static int wleases = 0; /* number of written leases */
+
  static virHashTablePtr SnoopReqs;
+static pthread_mutex_t SnoopLock;
+
+#define snoop_lock(){ pthread_mutex_lock(SnoopLock); }
+#define snoop_unlock()  { pthread_mutex_unlock(SnoopLock); }

  struct virNWFilterSnoopReq {
  virConnectPtr conn;
@@ -90,7 +101,14 @@ struct iplease {

  static struct iplease *ipl_getbyip(struct iplease *start, uint32_t ipaddr);
  static void ipl_update(struct iplease *pl, uint32_t timeout);
-
+
+static struct iflease *getiflease(const char *ifname);
+static void lease_open(void);
+static void lease_close(void);
+static void lease_load(void);
+static void lease_save(struct iplease *ipl);
+static void lease_refresh(void);
+static void lease_restore(struct virNWFilterSnoopReq *req);

  /*
   * ipl_ladd - add an IP lease to a list
@@ -150,6 +168,7 @@ ipl_add(struct iplease *plnew)
  ipl_update(pl, plnew-ipl_timeout);
  return;
  }
+nleases++;
  if (VIR_ALLOC(pl)  0) {
  virReportOOMError();
  return;
@@ -184,6 +203,7 @@ ipl_add(struct iplease *plnew)
  return;
  }
  ipl_tadd(pl);
+lease_save(pl);
  }

  /*
@@ -231,6 +251,7 @@ ipl_del(struct iplease *ipl)
  req = ipl-ipl_req;

  ipl_tdel(ipl);
+lease_save(ipl);

  if (inet_ntop(AF_INET,ipl-ipl_ipaddr, ipbuf, sizeof(ipbuf))) {
  ipstr = strdup(ipbuf);
@@ -248,6 +269,7 @@ ipl_del(struct iplease *ipl)
 _(ipl_del inet_ntop  failed (0x%08X)),
 ipl-ipl_ipaddr);
  VIR_FREE(ipl);
+nleases--;
  }

  /*
@@ -259,6 +281,7 @@ ipl_update(struct iplease *ipl, uint32_t timeout)
  ipl_tdel(ipl);
  ipl-ipl_timeout = timeout;
  ipl_tadd(ipl);
+lease_save(ipl);
  return;
  }

@@ -275,8 +298,6 @@ ipl_getbyip(struct iplease *start, uint32_t ipaddr)
  return pl;
  }

-#define GRACE   5
-
  /*
   * ipl_trun - run the IP lease timeout list
   */
@@ -465,6 +486,19 @@ dhcpopen(const char *intf)
  return handle;
  }

+/*
+ * snoopReqFree - release a snoop Req
+ */
+static void
+snoopReqFree(struct virNWFilterSnoopReq *req)
+{
+if (req-ifname)
+VIR_FREE(req-ifname);
+if (req-vars)
+virNWFilterHashTableFree(req-vars);
+VIR_FREE(req);
+}
+
  static void *
  virNWFilterDHCPSnoop(void *req0)
  {
@@ -479,12 +513,19 @@ virNWFilterDHCPSnoop(void *req0)
  if (!handle)
  return 0;

+/* restore any saved leases for this interface */
+snoop_lock();
+lease_restore(req);
+snoop_unlock();
+
  ifindex = if_nametoindex(req-ifname);

  while (1) {
  if (req-die)
  break;
+snoop_lock();
  ipl_trun(req);
+snoop_unlock();

  packet = (struct eth *) pcap_next(handle,hdr);

@@ -494,16 +535,18 @@ virNWFilterDHCPSnoop(void *req0)
  continue;
  }

+snoop_lock();
  dhcpdecode(req, packet, hdr.caplen);
+snoop_unlock();
  }
+
+snoop_lock();
  /* free all leases */
  for (ipl = req-start; ipl; ipl = req-start)
  ipl_del(ipl);
+snoop_unlock();

-/* free all req data */
-VIR_FREE(req-ifname);
-virNWFilterHashTableFree(req-vars);
-VIR_FREE(req);
+snoopReqFree(req);
  return 0;
  }

@@ -518,9 +561,12 @@ virNWFilterDHCPSnoopReq(virConnectPtr conn,
  {
  struct virNWFilterSnoopReq *req;

+snoop_lock();
  req = virHashLookup(SnoopReqs, ifname);
-if (req)
+snoop_unlock();
+if (req) {
  return 0;
+}
  if (VIR_ALLOC(req)  0) {
  virReportOOMError();
  return 1;
@@ -533,28 +579,30 @@ virNWFilterDHCPSnoopReq(virConnectPtr conn,
  req-ifname = strdup(ifname);
  req-vars = virNWFilterHashTableCreate(0);
  if (!req-vars) {
+snoopReqFree(req);
Following the lookup into the hashtable above you cannot just free the 
request. I suppose you'd first have to remove it from the hash 

Re: [libvirt] Compiler warnings

[Eric Blake]

On 10/17/2011 11:03 AM, Eric Blake wrote:

On 10/17/2011 10:17 AM, Alex Jia wrote:

Eric,
It's latest libvirt upstream, current commit id is commit 0a71c79.

# rpm -q glibc
glibc-2.12-1.42.el6.x86_64




430 if (strchr(toescape, *cur))



CC libvirt_util_la-buf.lo
util/buf.c: In function 'virBufferEscape':
util/buf.c:430: warning: logical '' with non-zero constant will
always
evaluate as true [-Wlogical-op]


Something's screwy. There's no  in that line, unless strchr() is a
macro based on your particular compilation flags. I'm suspecting that
this is a case of -D_FORTIFY_SOURCE going awry. I don't see how this
could possibly be a libvirt issue; more likely, it is an issue with the
choice of compiler flags you are using, coupled with an issue in the
system headers causing the preprocessor to expand strchr() into
something that tickles a spurious gcc warning.


Just to make sure, could you show 'make V=1' output, so we know exactly 
which compiler flags are in effect?


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] Compiler warnings

[Eric Blake]

On 10/17/2011 10:17 AM, Alex Jia wrote:

Eric,
It's latest libvirt upstream, current commit id is commit 0a71c79.

# rpm -q glibc
glibc-2.12-1.42.el6.x86_64




430 if (strchr(toescape, *cur))



 CC libvirt_util_la-buf.lo
util/buf.c: In function 'virBufferEscape':
util/buf.c:430: warning: logical '' with non-zero constant will always
evaluate as true [-Wlogical-op]


Something's screwy.  There's no  in that line, unless strchr() is a 
macro based on your particular compilation flags.  I'm suspecting that 
this is a case of -D_FORTIFY_SOURCE going awry.  I don't see how this 
could possibly be a libvirt issue; more likely, it is an issue with the 
choice of compiler flags you are using, coupled with an issue in the 
system headers causing the preprocessor to expand strchr() into 
something that tickles a spurious gcc warning.


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

[David Stevens]

Stefan Berger stef...@linux.vnet.ibm.com wrote on 10/17/2011 08:50:14 
AM:


 I agree with Daniel's previous comments that this could introduce 
 compatibility problems. It would be best not to change it or if really 
 need be later on introduce an XML attribute for a chain that allows to 
 choose whether the default policy is accept or drop.

This is not a functional change. With the multiple address
support, literally all of the chains in question end with -j DROP.
By changing the default policy to DROP, it removes the requirement
to have the -j DROP  _at_the_end_, which makes appending new rules
without reference to a priority easier.
I think the real sticking point here is whether we consider
the existing standard chains as immutable. If, for compatibility's sake,
we keep address matching as:

if ($IP != ADDRESS) DROP
ACCEPT

then we cannot support multiple IP addresses. If we change this to:

if ($IP == ADDRESS1) RETURN
if ($IP == ADDRESS2) RETURN
...
DROP

all of the standard chains end in -j DROP and making the policy
be DROP expresses exactly the same thing with one less rule per chain.
This also allows appending more allowed addresses without using a
priority to ensure that -j DROP is last.
Any customization to the old filters that do DROP or ACCEPT
will still work and RETURN and CONTINUE were not supported before,
so the default, whether done by -j DROP/ACCEPT or the policy, don't
matter-- the custom rule will behave as it does now. It's just that
that DROP/ACCEPT will bypass subsequent checks that are now possible
if doing RETURN/CONTINUE instead.
But, of course, *any* change to the standard filters requires
a review of custom filters that link into them or modify them.

I think maintaining this level of compatibility simply means
we cannot support multiple addresses. Doing that obviously requires
changing the existing address matching filters, which therefore can't
be linked in in identically the same way. However, I think any
existing customization is trivial to apply after, too. Perhaps an
example filter that causes a problem?

+-DLS



--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

[David Stevens]

Stefan Berger stef...@linux.vnet.ibm.com wrote on 10/17/2011 09:07:12 
AM:

 On 10/12/2011 03:50 PM, David L Stevens wrote:
 This patch adds the internal capability to add rules to existing
  chains instead of using temporary chains and to generate placeholders 
for
  chains that are referenced without generating a rule for them 
immediately.
  Finally, it includes variable matching for filter instantiation
  (i.e., instantiate only when a given variable is present in a filter, 
or
  only when it is not).
 
 Following the above I am not sure what this will be used for as part of 
 this extension.

This is used to add rules to existing chains when a new IP address 
is
discovered (i.e., a DHCP ACK from a server occurs). The existing code 
builds
the entire chain as a temporary chain and then swaps it in, which is only
appropriate at start-up. For DHCP snooping, we want to add and remove 
rules
that reference IP using a particular value (the address for the ACK or
lease expiration) without affecting other rules that don't reference IP or
have a different address value. removeRules was already there, but 
addRules
was not.

 +-DLS

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

[Stefan Berger]

On 10/17/2011 01:23 PM, David Stevens wrote:

Stefan Bergerstef...@linux.vnet.ibm.com  wrote on 10/17/2011 09:07:12
AM:


On 10/12/2011 03:50 PM, David L Stevens wrote:

This patch adds the internal capability to add rules to existing
chains instead of using temporary chains and to generate placeholders

for

chains that are referenced without generating a rule for them

immediately.

Finally, it includes variable matching for filter instantiation
(i.e., instantiate only when a given variable is present in a filter,

or

only when it is not).


Following the above I am not sure what this will be used for as part of
this extension.

 This is used to add rules to existing chains when a new IP address
is
discovered (i.e., a DHCP ACK from a server occurs). The existing code
builds
the entire chain as a temporary chain and then swaps it in, which is only
appropriate at start-up. For DHCP snooping, we want to add and remove
rules
that reference IP using a particular value (the address for the ACK or
lease expiration) without affecting other rules that don't reference IP or
have a different address value. removeRules was already there, but
addRules
was not.
Yes, then I understood this correctly. See the other mails regarding the 
problems I am seeing with it. If there was a way to figure out at what 
position to insert a rule into an existing chain, i.e. at position 5, 
rather than always at the end, we could use this addRules() call, 
otherwise I find it very limiting.


   Stefan


  +-DLS



--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] qemu: Do not wait if the PCI device is not managed when reattaching

[Eric Blake]

On 10/17/2011 04:58 AM, Osier Yang wrote:

Waiting for qemu-kvm cleaning up the PCI bar(s) mapping with long time
while the device is not managed is just waste of time.
---
  src/qemu/qemu_hostdev.c |   15 ---
  1 files changed, 8 insertions(+), 7 deletions(-)


ACK.

--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

[Stefan Berger]

On 10/17/2011 01:04 PM, David Stevens wrote:

Stefan Bergerstef...@linux.vnet.ibm.com  wrote on 10/17/2011 08:50:14
AM:



I agree with Daniel's previous comments that this could introduce
compatibility problems. It would be best not to change it or if really
need be later on introduce an XML attribute for a chain that allows to
choose whether the default policy is accept or drop.

 This is not a functional change. With the multiple address
support, literally all of the chains in question end with -j DROP.
By changing the default policy to DROP, it removes the requirement
to have the -j DROP  _at_the_end_, which makes appending new rules
without reference to a priority easier.
Yes, '_at_the_end_', that's what I thought. I am not sure whether this 
particular requirement is the best way to proceed since obviously you 
cannot have any other rules with lesser priority after the ones doing 
the 'return' -- whatever those rules may be doing. The alternative would 
be having to instantiate the whole filter chain in the same way as the 
IP address learning thread does with the 'late' filter instantiation 
call -- that would at least get all the priorities correct and not 
introduce a requirement on how one has to write a filter.



 I think the real sticking point here is whether we consider
the existing standard chains as immutable. If, for compatibility's sake,
I don't consider them as immutable but should be replaced with something 
of the same or 'better' functionality.

we keep address matching as:
 if ($IP != ADDRESS) DROP
 ACCEPT

then we cannot support multiple IP addresses. If we change this to:

 if ($IP == ADDRESS1) RETURN
 if ($IP == ADDRESS2) RETURN
 ...
 DROP

all of the standard chains end in -j DROP and making the policy
be DROP expresses exactly the same thing with one less rule per chain.
This also allows appending more allowed addresses without using a
priority to ensure that -j DROP is last.
Yes, I understand that but I don't necessarily like the implications of 
this.



 Any customization to the old filters that do DROP or ACCEPT
will still work and RETURN and CONTINUE were not supported before,
so the default, whether done by -j DROP/ACCEPT or the policy, don't
matter-- the custom rule will behave as it does now. It's just that
that DROP/ACCEPT will bypass subsequent checks that are now possible
if doing RETURN/CONTINUE instead.
 But, of course, *any* change to the standard filters requires
a review of custom filters that link into them or modify them.

 I think maintaining this level of compatibility simply means
we cannot support multiple addresses. Doing that obviously requires
changing the existing address matching filters, which therefore can't
be linked in in identically the same way. However, I think any
existing customization is trivial to apply after, too. Perhaps an
example filter that causes a problem?
I don't have an example filter myself, but I don't know what other 
people may have written.


An alternative would be to say that the existing filters work with the 
IP address learning thread and we would need to introduce new filters 
for support of multiple IP addresses. Yes, the current filters aren't 
prepare for supporting multiple IP addresses per interface.
I don't think replacing the existing filters would be a problem per-se, 
but I don't like that the priority of the rules doing the 'RETURN' is 
assumed to be the lowest in the chain and we can just append anything to 
the end of the chain -- the filters we are writing are just examples and 
someone may come up with a few rules that do something with packets that 
were not RETURN'ed and thus needs to have rules executing behind those. 
Again, maybe (the less efficient but more generic way of) instantiating 
the filters by calling the virNWFilterInstantiateFilterLate() could 
solve part of the problem.



Stefan

 +-DLS





--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v2] qemu: Do not reattach PCI device used by other domain when shutdown

[Eric Blake]

On 10/17/2011 04:44 AM, Osier Yang wrote:

After thinking a while, even we set the used_by during domains reloading,
the other attrs (dev-unbind_from_stub, dev-reprobe, dev-remove_slot)
of the PCI dev still will be lost. We can't known what values should be
for these attrs as generally they are initialized when do preparation,
however the preparations are already passed, and the devices are using
by the running domains. And thus the device won't be bound to the
original driver (if it had) correctly, or mistakenly bound to some driver
but it didn't have one.

Perhaps we need some new XMLs introduced for hostdevs.


You're right - the only sane way to survive libvirtd restarts is to 
track more information in the domain xml (it can be internal xml, and 
doesn't have to be dumped to the user; compare how we track actual as 
an internal-only detail on how networks were actually allocated). 
Sounds like we've got more work to do in this area.


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 07/10] support variable value changing

[David Stevens]

Stefan Berger stef...@linux.vnet.ibm.com wrote on 10/17/2011 09:17:21 
AM:

  +int
  +virNWFilterChangeVar(virConnectPtr conn,

  +if (virNWFilterHashTablePut(vars, var, value, 1)) {
  +virNWFilterReportError(VIR_ERR_INTERNAL_ERROR, _(Cound not 
add 
  +   variable \%s\ to hashmap), var);
  +return 1;
  +}
  +rc = _virNWFilterInstantiateRec(conn,
  +techdriver,
  +nettype,
  +filter,
  +ifname,
  +vars,
  +NWFILTER_STD_VAR_IP, 0,
  +nEntries,insts,
  + INSTANTIATE_ALWAYS,foundNewFilter,
  +driver);
 Given the NWFILTER_STD_VAR_IP parameter, what does it give us at this 
point?

I'm not sure I understand the question. NWFILTER_STD_VAR_IP (aka 
IP) is
the variable we want to match, so this will only affect rules that 
reference IP.
Rules that don't match are not included in the instantiation, and so are 
unaffected.

  + if (delete)
  + rc = techdriver-removeRules(conn, ifname, nptrs, ptrs);
  + else
  + rc = techdriver-addRules(conn, ifname, nptrs, ptrs);
 I am wondering about this addRules() and whether the rules are being 
 added to the end of a chain and thus the rules' assumed priority would 
 have to be such that these rules can actually always be the last ones?
 
Where they are added depends on the original filter. If they have 
a
priority associated with them, it'll use that. It's no different than the
original code's instantiation of rules referencing IP (other than that
this allows multiple occurrences). Without a priority, they appear at the
end of the chain.

+-DLS

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 3/3] snapshot: implement LIST_LEAVES flag in esx

[Eric Blake]

On 10/15/2011 04:47 PM, Matthias Bolte wrote:

2011/10/8 Eric Blakeebl...@redhat.com:

Relatively straight-forward filtering.

* src/esx/esx_vi.h (esxVI_GetNumberOfSnapshotTrees)
(esxVI_GetSnapshotTreeNames): Add parameter.
* src/esx/esx_vi.c (esxVI_GetNumberOfSnapshotTrees)
(esxVI_GetSnapshotTreeNames): Allow leaf filtering.
* src/esx/esx_driver.c (esxDomainSnapshotNum)
(esxDomainSnapshotListNames, esxDomainSnapshotNumChildren)
(esxDomainSnapshotListChildrenNames): Pass new flag through.
---


Tested, works, ACK.


Thanks; pushed.

--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

[David Stevens]

Stefan Berger stef...@linux.vnet.ibm.com wrote on 10/17/2011 10:31:29 
AM:


  was not.
 Yes, then I understood this correctly. See the other mails regarding the 

 problems I am seeing with it. If there was a way to figure out at what 
 position to insert a rule into an existing chain, i.e. at position 5, 
 rather than always at the end, we could use this addRules() call, 
 otherwise I find it very limiting.

I'm not sure if I answered this already for you or not, but you
can -- by using the priority in the rule. If we don't use the policy
and so have to have a -j DROP at the end, then we'd want the original
filter to use -1 (if I'm remembering correctly -- 1 before end??). You
can specify the rule be added at any point; IP rules would all have
the same priority, because they originate from the same line in the 
filter,
but you can use the priority to offset from the end or beginning, or
any fixed point in the chain.

+-DLS

PS - I haven't tried using negative priorities with nwfilter, but
ebtables/iptables supports it, at least.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] Add support for autodestroy of guests to the LXC and UML drivers

[Eric Blake]

On 10/17/2011 04:32 AM, Daniel P. Berrange wrote:

From: Daniel P. Berrangeberra...@redhat.com

I wrote this months ago and thought I had already submitted/merged
it. Obviously not. I need this for the virt sandbox tools asap.

We recently added support for VIR_DOMAIN_START_AUTODESTROY and
an impl to the QEMU driver. It is very desirable to support in
other drivers, so this adds it to LXC and UML

* src/lxc/lxc_conf.h, src/lxc/lxc_driver.c,
   src/uml/uml_conf.h, src/uml/uml_driver.c: Wire up autodestroy
   functions
---
  src/lxc/lxc_conf.h   |5 ++
  src/lxc/lxc_driver.c |  140 +--
  src/uml/uml_conf.h   |6 ++
  src/uml/uml_driver.c |  164 +++---
  4 files changed, 289 insertions(+), 26 deletions(-)


ACK.

--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] qemu: Honor the original properties of PCI device when detaching

[Eric Blake]

On 10/17/2011 05:07 AM, Osier Yang wrote:

This patch fixes two problems:
 1) The device will be reattached to host even if it's not
managed, as there is a pciDeviceSetManaged.
 2) The device won't be reattached to host with original
driver properly. As it doesn't honor the device original
properties which are maintained by driver-activePciHostdevs.
---
  src/qemu/qemu_hotplug.c |   16 
  1 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index bfa524b..f3f0060 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1956,6 +1956,7 @@ int qemuDomainDetachHostPciDevice(struct qemud_driver 
*driver,
  qemuDomainObjPrivatePtr priv = vm-privateData;
  int i, ret;
  pciDevice *pci;
+pciDevice *activePci;

  for (i = 0 ; i  vm-def-nhostdevs ; i++) {
  if (vm-def-hostdevs[i]-mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS ||
@@ -2015,16 +2016,15 @@ int qemuDomainDetachHostPciDevice(struct qemud_driver 
*driver,
 detach-source.subsys.u.pci.bus,
 detach-source.subsys.u.pci.slot,
 detach-source.subsys.u.pci.function);
-if (!pci)
-ret = -1;
-else {
-pciDeviceSetManaged(pci, detach-managed);
-pciDeviceListDel(driver-activePciHostdevs, pci);
-if (pciResetDevice(pci, driver-activePciHostdevs, NULL)  0)
+if (pci) {
+activePci = pciDeviceListSteal(driver-activePciHostdevs, pci);
+if (pciResetDevice(activePci, driver-activePciHostdevs, NULL)  0)
  ret = -1;
-pciDeviceReAttachInit(pci);
-qemuReattachPciDevice(pci, driver);
+qemuReattachPciDevice(activePci, driver);


This calls qemuReattachPciDevice even if pciResetDevice failed.  I don't 
think that is right.


However, I agree with you that hot-unplug cannot make a device managed 
if it was not already managed, and also that it should be using the 
device attributes from driver-activePciHostdevs rather than from the 
just-created pci in order to properly decide how much work to do on the 
unplug event.


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 05/10] allow chain modification

[Stefan Berger]

On 10/17/2011 01:58 PM, David Stevens wrote:

Stefan Bergerstef...@linux.vnet.ibm.com  wrote on 10/17/2011 10:31:29
AM:



was not.

Yes, then I understood this correctly. See the other mails regarding the
problems I am seeing with it. If there was a way to figure out at what
position to insert a rule into an existing chain, i.e. at position 5,
rather than always at the end, we could use this addRules() call,
otherwise I find it very limiting.

 I'm not sure if I answered this already for you or not, but you
can -- by using the priority in the rule. If we don't use the policy
and so have to have a -j DROP at the end, then we'd want the original
filter to use -1 (if I'm remembering correctly -- 1 before end??). You
can specify the rule be added at any point; IP rules would all have
the same priority, because they originate from the same line in the
filter,
but you can use the priority to offset from the end or beginning, or
any fixed point in the chain.

 +-DLS

PS - I haven't tried using negative priorities with nwfilter, but
 ebtables/iptables supports it, at least.
The ebtables / iptables insertion of rules is based on position of the 
rule relative to other existing rules and has nothing to do with 
nwfilter priority  which servers sorting of rules relative to each other 
beyond what their occurrence in the XML provides. So the priority 
doesn't map directly into the position of the rule as ebtables/iptables 
needs it.


Stefan

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 08/10] add DHCP snooping

[Stefan Berger]

On 10/12/2011 03:50 PM, David L Stevens wrote:

+
+#includeconfig.h
+
+#ifdef HAVE_LIBPCAP
+#includepcap.h
+#endif
HAVE_LIBPCAP also has to be handled in the parts that actually call the 
pcap library API and provide a way of failing if libpcap is not available.


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH 1/1] lxc: use our own hand-rolled code in place of unlockpt and grantpt (v2)

[Serge E. Hallyn]

The glibc ones cannot handle ptys opened in a devpts not mounted at
/dev/pts.

Changelog:
  Oct 17: Per Eli Qiao, use VIR_ALLOC_N when appropriate, make
  sure to check return values, and follow coding style
  convention.
  Change lxcGetTtyGid() to return -1 on error, otherwise
  return gid in passed-in argument.

Signed-off-by: Serge Hallyn serge.hal...@canonical.com
---
 src/lxc/lxc_controller.c |   89 +++--
 1 files changed, 85 insertions(+), 4 deletions(-)

diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index 89ce7f5..8c9caee 100644
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -41,6 +41,8 @@
 #include locale.h
 #include linux/loop.h
 #include dirent.h
+#include grp.h
+#include sys/stat.h
 
 #if HAVE_CAPNG
 # include cap-ng.h
@@ -781,6 +783,88 @@ static int lxcSetPersonality(virDomainDefPtr def)
 #endif
 
 static int
+lxcGetTtyGid(int *gid) {
+char *grtmpbuf;
+struct group grbuf;
+size_t grbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+struct group *p;
+int ret;
+gid_t tty_gid = -1;
+
+/* Get the group ID of the special `tty' group.  */
+if (grbuflen == (size_t) -1L)
+/* `sysconf' does not support _SC_GETGR_R_SIZE_MAX.
+   Try a moderate value.  */
+grbuflen = 1024;
+
+if ((VIR_ALLOC_N(grtmpbuf, grbuflen))  0)
+   return -1;
+
+ret = getgrnam_r(tty, grbuf, grtmpbuf, grbuflen, p);
+if (ret || p != NULL)
+tty_gid = p-gr_gid;
+
+VIR_FREE(grtmpbuf);
+
+*gid = tty_gid == -1 ? getgid() : tty_gid;
+return 0;
+}
+
+#define ACCESSPERMS (S_IRWXU|S_IRWXG|S_IRWXO) /* 0777 */
+
+/* heavily borrowed from glibc, but don't assume devpts == /dev/pts */
+static int
+lxcCreateTty(char *ptmx, int *ttymaster, char **ttyName)
+{
+int rc = -1;
+int ret;
+int ptyno;
+uid_t uid;
+gid_t gid;
+struct stat st;
+int unlock = 0;
+
+if ((*ttymaster = open(ptmx, O_RDWR|O_NOCTTY|O_NONBLOCK))  0)
+goto cleanup;
+
+if (ioctl(*ttymaster, TIOCSPTLCK, unlock)  0)
+goto cleanup;
+
+if (ioctl(*ttymaster, TIOCGPTN, ptyno)  0)
+goto cleanup;
+
+if (fstat(*ttymaster, st)  0)
+goto cleanup;
+
+if (lxcGetTtyGid(gid)  0)
+goto cleanup;
+
+uid = getuid();
+if (st.st_uid != uid || st.st_gid != gid)
+if (fchown(*ttymaster, uid, gid)  0)
+goto cleanup;
+
+if ((st.st_mode  ACCESSPERMS) != (S_IRUSR|S_IWUSR|S_IWGRP))
+if (fchmod(*ttymaster, S_IRUSR|S_IWUSR|S_IWGRP)  0)
+goto cleanup;
+
+if (VIR_ALLOC_N(*ttyName, PATH_MAX)  0) {
+errno = ENOMEM;
+goto cleanup;
+}
+
+snprintf(*ttyName, PATH_MAX, /dev/pts/%d, ptyno);
+
+rc = 0;
+
+cleanup:
+if (rc != 0)
+VIR_FORCE_CLOSE(*ttymaster);
+
+return rc;
+}
+
+static int
 lxcControllerRun(virDomainDefPtr def,
  unsigned int nveths,
  char **veths,
@@ -894,10 +978,7 @@ lxcControllerRun(virDomainDefPtr def,
 
 if (devptmx) {
 VIR_DEBUG(Opening tty on private %s, devptmx);
-if (virFileOpenTtyAt(devptmx,
- containerPty,
- containerPtyPath,
- 0)  0) {
+if (lxcCreateTty(devptmx, containerPty, containerPtyPath)  0) {
 virReportSystemError(errno, %s,
  _(Failed to allocate tty));
 goto cleanup;
-- 
1.7.5.4

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] Add AHCI support to qemu driver

[Jim Fehlig]

Adam Litke wrote:
 On Mon, Oct 03, 2011 at 10:46:18PM -0600, Jim Fehlig wrote:
   
 Adam Litke wrote:
 
 Hi Jim.  I was testing this and found that I could not boot from the sata 
 disks
 I defined.  When I switch them back to ide, they can be booted just fine.
 Perhaps something is missing from the boot order logic?
   
   
 Hmm, I didn't notice this in my testing.  sda in the below config
 contained /boot.  Can you provide the domain config?
 

   
Hi Adam,

I've been traveling, sorry for the delay...

 With the following config, I end up booting from the cdrom.  If I take away 
 the
 cdrom definition completely, I am unable to boot at all.
   

I can boot fine with your config, either from sda (boot dev='hd' /) or
cdrom (boot dev='cdrom' /).

Have you verified your seabios supports booting from ahci as Bruce
mentioned?

Thanks,
Jim

 domain type='kvm'
   nameblockPull-test/name
   memory262144/memory
   currentMemory262144/currentMemory
   vcpu1/vcpu
   os
 type arch='x86_64' machine='pc-0.13'hvm/type
 boot dev='hd'/
   /os
   features
 acpi/
 apic/
 pae/
   /features
   clock offset='utc'/
   on_poweroffdestroy/on_poweroff
   on_rebootrestart/on_reboot
   on_crashrestart/on_crash
   devices
 
 emulator/home/aglitke/src/qemu/x86_64-softmmu/qemu-system-x86_64/emulator
 disk type='file' device='disk'
   driver name='qemu' type='qed'/
   source file='/home/aglitke/vm/sata-test/disk1.qed' /
   target dev='sda' bus='sata'/
 /disk
 disk type='file' device='disk'
   driver name='qemu' type='qed'/
   source file='/home/aglitke/vm/sata-test/disk2.qed' /
   target dev='sdb' bus='sata'/
 /disk
 disk type='file' device='cdrom'
   driver name='qemu' type='raw'/
   source file='/home/aglitke/vm/images/natty-alternate-amd64.iso' /
   target dev='hda' bus='ide'/
 /disk
 interface type=network
   source network=default /
 /interface
 graphics type='vnc' port='-1' autoport='yes'/
   /devices
 /domain

   

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] Add AHCI support to qemu driver

[Eric Blake]

On 09/28/2011 04:43 PM, Jim Fehlig wrote:

Tested with multiple AHCI controllers and multiple disks attached
to a controller. E.g.,

+++ b/src/qemu/qemu_capabilities.c
@@ -139,6 +139,7 @@ VIR_ENUM_IMPL(qemuCaps, QEMU_CAPS_LAST,
no-shutdown,

cache-unsafe, /* 75 */
+  ich9-ahci,


You'll have to rebase here, but nothing too difficult.

ACK.

--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 1/1] lxc: use our own hand-rolled code in place of unlockpt and grantpt (v2)

[Eric Blake]

On 10/17/2011 01:04 PM, Serge E. Hallyn wrote:

The glibc ones cannot handle ptys opened in a devpts not mounted at
/dev/pts.

Changelog:
   Oct 17: Per Eli Qiao, use VIR_ALLOC_N when appropriate, make
   sure to check return values, and follow coding style
  convention.
  Change lxcGetTtyGid() to return -1 on error, otherwise
  return gid in passed-in argument.

Signed-off-by: Serge Hallynserge.hal...@canonical.com
---
  src/lxc/lxc_controller.c |   89 +++--
  1 files changed, 85 insertions(+), 4 deletions(-)




@@ -781,6 +783,88 @@ static int lxcSetPersonality(virDomainDefPtr def)
  #endif

  static int
+lxcGetTtyGid(int *gid) {
+char *grtmpbuf;
+struct group grbuf;
+size_t grbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+struct group *p;
+int ret;
+gid_t tty_gid = -1;


Hmm.  This gets called once per lxc guest, instead of once per libvirtd 
process, even though the gid won't change in the meantime.


Furthermore, we have _already_ hardcoded this to 5, based on the options 
we gave to mount(devpts) - either we need to fix that mount call 
(better), or we can skip this function altogether (assuming that our 
hard-coding of 5 is correct, there's no need to requery it, although 
that does sound like a worse solution).  For that matter, the whole 
point of the mount(devpts,...,gid=5) designation is that the new pty 
will be owned by gid 5, without needing to fchown() it.  Are there 
kernels that are new enough to support newinstance mounting, yet old 
enough to not honor gid=5?  That would be the only case where we would 
have to chown in the first place.  But if all kernels new enough to 
support newinstance mounting correctly honor the gid=5 option, then we 
don't even have to do chown() calls [but we still have to fix the 
hard-coding of gid=5 in the mount() option].




+if (fstat(*ttymaster,st)  0)
+goto cleanup;
+
+if (lxcGetTtyGid(gid)  0)
+goto cleanup;
+
+uid = getuid();
+if (st.st_uid != uid || st.st_gid != gid)
+if (fchown(*ttymaster, uid, gid)  0)
+goto cleanup;
+
+if ((st.st_mode  ACCESSPERMS) != (S_IRUSR|S_IWUSR|S_IWGRP))
+if (fchmod(*ttymaster, S_IRUSR|S_IWUSR|S_IWGRP)  0)
+goto cleanup;


Likewise, I think this fchmod() is useless; the mode=0620 in the mount 
option should have already set this up.



+
+if (VIR_ALLOC_N(*ttyName, PATH_MAX)  0) {
+errno = ENOMEM;
+goto cleanup;
+}


Wasteful.  PATH_MAX is MUCH bigger than we need.


+
+snprintf(*ttyName, PATH_MAX, /dev/pts/%d, ptyno);


Instead, I'd just do this as:

virAsprintf(ttyName, /dev/pts/%d, ptyno);

Also, do we want this to be the name of the pty, _as seen from the guest 
after the fs pivot is complete_, or do we want this to be the name of 
the pty, as seen from the host prior to the pivot, in which case it 
would be some derivative of %s/dev/pts/%d, root-src, ptyno?


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

[David Stevens]

Stefan Berger stef...@linux.vnet.ibm.com wrote on 10/17/2011 10:29:08 
AM:

 Yes, '_at_the_end_', that's what I thought. I am not sure whether this 
 particular requirement is the best way to proceed since obviously you 
 cannot have any other rules with lesser priority after the ones doing 
 the 'return' -- whatever those rules may be doing.
Not in the same chain, but  if a chain is checking multiple
allowed values for the same field, that's all that chain should be doing.
Checking some other condition should be done after passing, e.g., the IP
address checks and would be done because of the RETURN. Current code 
does
an ACCEPT or REJECT at that point, so *requires* modification of the
existing chain.
Any current filters are even worse because without RETURN and
CONTINUE, they can only accept or drop a packet without further 
processing.
With this patchset, you can apply multiple tests to the same packet with
only the restriction that testing other fields in that packet require a 
different
subchain-- something not possible at all today.
If, for example, you want to allow 100 ports and a particular IP
address, reject everything else, won't that require a DROP rule for
65436 ports so that you don't accept either based on just the port or
just the IP address? Or , you'd have to combine the IP address check in
every port-check rule and do it before you do the blanket  ACCEPT in
the standard rule.


 An alternative would be to say that the existing filters work with the 
 IP address learning thread and we would need to introduce new filters 
 for support of multiple IP addresses. Yes, the current filters aren't 
 prepare for supporting multiple IP addresses per interface.

Yes, I thought about this, but it really is just duplicating the
entire set with a different name. I think especially without support
for RETURN/CONTINUE, as a practical matter the only way to modify the
current filters to do interesting things is to replace them. Anyone doing
that will not be affected by a change to the standard rules, except for
the possibly trivial addition of a -j ACCEPT at the end if they require
a default ACCEPT for the modified rules.

 I don't think replacing the existing filters would be a problem per-se, 
 but I don't like that the priority of the rules doing the 'RETURN' is 
 assumed to be the lowest in the chain and we can just append anything to 

 the end of the chain -- the filters we are writing are just examples and 

 someone may come up with a few rules that do something with packets that 

 were not RETURN'ed and thus needs to have rules executing behind those. 
 Again, maybe (the less efficient but more generic way of) instantiating 
 the filters by calling the virNWFilterInstantiateFilterLate() could 
 solve part of the problem.

The only use I've added for addRules is the
multiple address check and that should not have other random fields in
the same chain. Better would be to have a different chain linked at the
top after the address checks. In fact, for compatibility, it'd be possible
to change the address checks to a different chain and leave an empty
ip  and arp chain that does only accept. It's just that it isn't 
really all
that compatible if what's really happening is that a customer is replacing
the existing chains with modifications, rather than applying additional 
rules
to it.
In the end, any modification whatsoever to the examples 
directory
requires someone who has customized a filter to look at the customization
again. Addition of RETURN/CONTINUE makes that easier in the future. 
With
the existing filters, any customization cannot be independent of the 
internals
of the existing filters (it's adding rules in the middle of it), so the 
only
way to maintain compatibility is to never change them.
With RETURN/CONTINUE and your suggested user-defined chain(s), 
you
can apply the standard sets with RETURN for acceptable packets and then
apply any user-defined checks  also to the same packets afterwards. I 
think
that's the right approach, but it requires either changing the existing 
chains
or introducing a completely parallel set and not using the original 
filters
at all, except for sites that want the old stuff only.


+-DLS



--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 1/1] lxc: use our own hand-rolled code in place of unlockpt and grantpt (v2)

[Serge E. Hallyn]

Quoting Eric Blake (ebl...@redhat.com):
 On 10/17/2011 01:04 PM, Serge E. Hallyn wrote:
 The glibc ones cannot handle ptys opened in a devpts not mounted at
 /dev/pts.
 
 Changelog:
Oct 17: Per Eli Qiao, use VIR_ALLOC_N when appropriate, make
sure to check return values, and follow coding style
convention.
Change lxcGetTtyGid() to return -1 on error, otherwise
return gid in passed-in argument.
 
 Signed-off-by: Serge Hallynserge.hal...@canonical.com
 ---
   src/lxc/lxc_controller.c |   89 
  +++--
   1 files changed, 85 insertions(+), 4 deletions(-)
 
 
 @@ -781,6 +783,88 @@ static int lxcSetPersonality(virDomainDefPtr def)
   #endif
 
   static int
 +lxcGetTtyGid(int *gid) {
 +char *grtmpbuf;
 +struct group grbuf;
 +size_t grbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
 +struct group *p;
 +int ret;
 +gid_t tty_gid = -1;
 
 Hmm.  This gets called once per lxc guest, instead of once per
 libvirtd process, even though the gid won't change in the meantime.
 
 Furthermore, we have _already_ hardcoded this to 5, based on the
 options we gave to mount(devpts) - either we need to fix that
 mount call (better), or we can skip this function altogether
 (assuming that our hard-coding of 5 is correct, there's no need to
 requery it, although that does sound like a worse solution).  For
 that matter, the whole point of the mount(devpts,...,gid=5)
 designation is that the new pty will be owned by gid 5, without
 needing to fchown() it.  Are there kernels that are new enough to
 support newinstance mounting, yet old enough to not honor gid=5?

No.  Mode and gid precede multiple devpts instances.

 That would be the only case where we would have to chown in the
 first place.  But if all kernels new enough to support newinstance
 mounting correctly honor the gid=5 option, then we don't even have
 to do chown() calls [but we still have to fix the hard-coding of
 gid=5 in the mount() option].

I missed something - why do we have to fix that?

It seems to me you're right - this is a linux-specific fn and
we are setting gid to 5 and the mode, we can skip this whole lxcGetTtyGid
function and the corresponding fchown and fchmod calls.  Nice!

 +if (fstat(*ttymaster,st)  0)
 +goto cleanup;
 +
 +if (lxcGetTtyGid(gid)  0)
 +goto cleanup;
 +
 +uid = getuid();
 +if (st.st_uid != uid || st.st_gid != gid)
 +if (fchown(*ttymaster, uid, gid)  0)
 +goto cleanup;
 +
 +if ((st.st_mode  ACCESSPERMS) != (S_IRUSR|S_IWUSR|S_IWGRP))
 +if (fchmod(*ttymaster, S_IRUSR|S_IWUSR|S_IWGRP)  0)
 +goto cleanup;
 
 Likewise, I think this fchmod() is useless; the mode=0620 in the
 mount option should have already set this up.

Yup.

 +
 +if (VIR_ALLOC_N(*ttyName, PATH_MAX)  0) {
 +errno = ENOMEM;
 +goto cleanup;
 +}
 
 Wasteful.  PATH_MAX is MUCH bigger than we need.

I thought so, but it was being done that way before, and didn't
seem all that important.

 +
 +snprintf(*ttyName, PATH_MAX, /dev/pts/%d, ptyno);
 
 Instead, I'd just do this as:
 
 virAsprintf(ttyName, /dev/pts/%d, ptyno);

Where virAsprintf will allocate when ttyName starts as null?

 Also, do we want this to be the name of the pty, _as seen from the
 guest after the fs pivot is complete_, or do we want this to be the
 name of the pty, as seen from the host prior to the pivot, in which
 case it would be some derivative of %s/dev/pts/%d, root-src,
 ptyno?

This gets passed into lxc_container which then prepends the chroot
location.  Don't know if there is any reason why we can't just
set it to the full name here, haven't looked further.

-serge

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH 1/1] lxc: use our own hand-rolled code in place of unlockpt and grantpt (v2)

[Eric Blake]

On 10/17/2011 03:29 PM, Serge E. Hallyn wrote:

that matter, the whole point of the mount(devpts,...,gid=5)
designation is that the new pty will be owned by gid 5, without
needing to fchown() it.  Are there kernels that are new enough to
support newinstance mounting, yet old enough to not honor gid=5?


No.  Mode and gid precede multiple devpts instances.


Good to hear.  In other words, glibc has to worry about it when dealing 
with /dev/pts, because it caters to older kernels that lacked multiple 
devpts, but lxc can take shortcuts based on guarantees present by virtue 
of the existence of multiple instances.  But definitely some comments in 
the code are called for, explaining why we are taking these shortcuts.



[but we still have to fix the hard-coding of
gid=5 in the mount() option].


I missed something - why do we have to fix that?


We don't have to fix it now, but we should fix it someday.  There's 
nothing that says a distro has to map 'tty' to gid 5, and while most 
distros do that, we should instead be portable to compilation on a 
distro where 'tty' is gid 6 (or some other unusual number).



Instead, I'd just do this as:

virAsprintf(ttyName, /dev/pts/%d, ptyno);


Where virAsprintf will allocate when ttyName starts as null?


Yep - the whole point of virAsprintf is to allocate the string on your 
behalf, and to gracefully ensure that ttyName is NULL on allocation 
failure - much more compact than using snprintf yourself, and avoids the 
waste of a PATH_MAX allocation.


And, while you are at it, what about also fixing src/util/util.c to 
remove virFileOpenTtyAt (now that no one calls that), by moving its body 
into virFileOpenTty except for using posix_openpt instead of 
open(/dev/ptmx).


--
Eric Blake   ebl...@redhat.com+1-801-349-2682
Libvirt virtualization library http://libvirt.org

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] Add AHCI support to qemu driver

[Jim Fehlig]

Eric Blake wrote:
 On 09/28/2011 04:43 PM, Jim Fehlig wrote:
 Tested with multiple AHCI controllers and multiple disks attached
 to a controller. E.g.,

 +++ b/src/qemu/qemu_capabilities.c
 @@ -139,6 +139,7 @@ VIR_ENUM_IMPL(qemuCaps, QEMU_CAPS_LAST,
 no-shutdown,

 cache-unsafe, /* 75 */
 +  ich9-ahci,

 You'll have to rebase here, but nothing too difficult.

Yep, simple rebase


 ACK.

and pushed.

Thanks!
Jim

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 04/10] make default chain policy DROP

[Stefan Berger]

On 10/17/2011 05:22 PM, David Stevens wrote:

Stefan Bergerstef...@linux.vnet.ibm.com  wrote on 10/17/2011 10:29:08
AM:


Yes, '_at_the_end_', that's what I thought. I am not sure whether this
particular requirement is the best way to proceed since obviously you
cannot have any other rules with lesser priority after the ones doing
the 'return' -- whatever those rules may be doing.

 Not in the same chain, but  if a chain is checking multiple
allowed values for the same field, that's all that chain should be doing.
Sure, and what if I wanted to do something with packets that were not 
RETURN'ed, where would I treat them besides *after* the RETURN?

Checking some other condition should be done after passing, e.g., the IP
address checks and would be done because of the RETURN. Current code
does
an ACCEPT or REJECT at that point, so *requires* modification of the
existing chain.
 Any current filters are even worse because without RETURN and
CONTINUE, they can only accept or drop a packet without further
processing.

Not arguing against that.

With this patchset, you can apply multiple tests to the same packet with
only the restriction that testing other fields in that packet require a
different
subchain-- something not possible at all today.
 If, for example, you want to allow 100 ports and a particular IP
address, reject everything else, won't that require a DROP rule for
65436 ports so that you don't accept either based on just the port or
just the IP address? Or , you'd have to combine the IP address check in
every port-check rule and do it before you do the blanket  ACCEPT in
the standard rule.



An alternative would be to say that the existing filters work with the
IP address learning thread and we would need to introduce new filters
for support of multiple IP addresses. Yes, the current filters aren't
prepare for supporting multiple IP addresses per interface.

 Yes, I thought about this, but it really is just duplicating the
entire set with a different name. I think especially without support
for RETURN/CONTINUE, as a practical matter the only way to modify the
current filters to do interesting things is to replace them. Anyone doing
that will not be affected by a change to the standard rules, except for
the possibly trivial addition of a -j ACCEPT at the end if they require
a default ACCEPT for the modified rules.


I don't think replacing the existing filters would be a problem per-se,
but I don't like that the priority of the rules doing the 'RETURN' is
assumed to be the lowest in the chain and we can just append anything to
the end of the chain -- the filters we are writing are just examples and
someone may come up with a few rules that do something with packets that
were not RETURN'ed and thus needs to have rules executing behind those.
Again, maybe (the less efficient but more generic way of) instantiating
the filters by calling the virNWFilterInstantiateFilterLate() could
solve part of the problem.

 The only use I've added for addRules is the
multiple address check and that should not have other random fields in
the same chain. Better would be to have a different chain linked at the
What if in the future we were to support ebtables logging and wanted to 
log any packet that has not been handled with a RETURN, thus for example 
logging MAC spoofing -- just as an example. I don't see how one would do 
that without adding rules into the mac chain *after* the rules that do 
the RETURN for packets with acceptable source MAC addresses and all 
others get logged. I would not call these 'random fields' being 
evaluated, but that the implementation of addRules() requires the 
filters to be limited in a way that may at some point become a problem 
for some use cases and someone has to reimplement it then.


   Stefan


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [libvirt PATCHv3 10/10] support multiple static IP addresses

[Stefan Berger]

On 10/12/2011 03:50 PM, David L Stevens wrote:

This patch adds support for multiple static IP addresses in a
comma-separated list. For example:

 interface type='network'
   filterref filter='clean-traffic'
 parameter name='ip_learning' value='none'/
 parameter name='IP' value='10.0.0.1,10.1.0.7,10.0.3.8,10.0.9.244'/
   /filterref
 ...

Signed-off-by: David L Stevensdlstev...@us.ibm.com
---
  src/nwfilter/nwfilter_gentech_driver.c |   26 ++
  1 files changed, 26 insertions(+), 0 deletions(-)

diff --git a/src/nwfilter/nwfilter_gentech_driver.c 
b/src/nwfilter/nwfilter_gentech_driver.c
index 577b48d..8f74a01 100644
--- a/src/nwfilter/nwfilter_gentech_driver.c
+++ b/src/nwfilter/nwfilter_gentech_driver.c
@@ -920,6 +920,8 @@ __virNWFilterInstantiateFilter(virConnectPtr conn,
  char *str_macaddr = NULL;
  const char *ipaddr;
  char *str_ipaddr = NULL;
+char *ipaddrlist = NULL;
+char *sep;

  techdriver = virNWFilterTechDriverForName(drvname);

@@ -983,6 +985,17 @@ __virNWFilterInstantiateFilter(virConnectPtr conn,
  goto err_exit_vars1;
  }

+ipaddr = virHashLookup(filterparams-hashTable, NWFILTER_STD_VAR_IP);
+if (ipaddr) {
+sep = strchr(ipaddr, ',');
+if (sep) {
+str_ipaddr = strndup(ipaddr, sep-ipaddr);
+ipaddrlist = strdup(sep + 1);

Check for str_ipaddr or ipaddrlist being NULL.

+virNWFilterHashTablePut(vars, NWFILTER_STD_VAR_IP, str_ipaddr, 1);
+}
+}
+str_ipaddr = NULL;
+
  filter = obj-def;

  switch (useNewFilter) {
@@ -1011,6 +1024,19 @@ __virNWFilterInstantiateFilter(virConnectPtr conn,
  driver,
  forceWithPendingReq);

+/* add the rest of the IP list */
+for (ipaddr = ipaddrlist; ipaddr; ipaddr = sep) {
+sep = strchr(ipaddr, ',');
+if (sep) {
+str_ipaddr = strndup(ipaddr, sep-ipaddr);

Test for NULL result.

+sep++; /* skip ',' */
+} else
+str_ipaddr = strdup(ipaddr);

Also here.

+virNWFilterChangeVar(conn, techdriver, nettype, filter, ifname, vars,
+ driver, NWFILTER_STD_VAR_IP, str_ipaddr, 0);
+
+}
+str_ipaddr = NULL;
  virNWFilterHashTableFree(vars);

  err_exit_vars1:


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] qemu: Do not wait if the PCI device is not managed when reattaching

[Osier Yang]

于 2011年10月18日 01:47, Eric Blake 写道:

On 10/17/2011 04:58 AM, Osier Yang wrote:

Waiting for qemu-kvm cleaning up the PCI bar(s) mapping with long time
while the device is not managed is just waste of time.
---
src/qemu/qemu_hostdev.c | 15 ---
1 files changed, 8 insertions(+), 7 deletions(-)


ACK.



Pushed.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] Compiler warnings

[Wen Congyang]

At 10/18/2011 01:04 AM, Eric Blake Write:
 On 10/17/2011 11:03 AM, Eric Blake wrote:
 On 10/17/2011 10:17 AM, Alex Jia wrote:
 Eric,
 It's latest libvirt upstream, current commit id is commit 0a71c79.

 # rpm -q glibc
 glibc-2.12-1.42.el6.x86_64


 430 if (strchr(toescape, *cur))

 CC libvirt_util_la-buf.lo
 util/buf.c: In function 'virBufferEscape':
 util/buf.c:430: warning: logical '' with non-zero constant will
 always
 evaluate as true [-Wlogical-op]

 Something's screwy. There's no  in that line, unless strchr() is a
 macro based on your particular compilation flags. I'm suspecting that
 this is a case of -D_FORTIFY_SOURCE going awry. I don't see how this
 could possibly be a libvirt issue; more likely, it is an issue with the
 choice of compiler flags you are using, coupled with an issue in the
 system headers causing the preprocessor to expand strchr() into
 something that tickles a spurious gcc warning.
 
 Just to make sure, could you show 'make V=1' output, so we know exactly
 which compiler flags are in effect?
 

I can reproduce this problem, here is 'make V=1' output:

=
make[3]: Entering directory `/root/rpmbuild/BUILD/libvirt-0.9.6/src'
/bin/sh ../libtool  --tag=CC   --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H 
-I. -I.. -I../gnulib/lib -I../gnulib/lib -I../include -I../src/util 
-I../include -DIN_LIBVIRT-I/usr/include/libxml2   -Wall -W -Wformat-y2k 
-Wformat-security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown-pragmas 
-Wstrict-aliasing -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align 
-Wwrite-strings -Wlogical-op -Waggregate-return -Wstrict-prototypes 
-Wold-style-definition -Wmissing-prototypes -Wmissing-declarations 
-Wmissing-noreturn -Wmissing-format-attribute -Wredundant-decls 
-Wnested-externs -Winline -Winvalid-pch -Wvolatile-register-var 
-Wdisabled-optimization -Wbuiltin-macro-redefined -Wmudflap 
-Wpacked-bitfield-compat -Wsync-nand -Wattributes -Wcoverage-mismatch 
-Wmultichar -Wno-missing-field-initializers -Wno-sign-compare 
-Wframe-larger-than=4096 -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector-all 
--param=ssp-buffer-size=4 -fexceptions -fasynchronous-unwind-tables 
-fdiagnostics-s
how-option -funit-at-a-time -Werror  -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -MT libvirt_util_la-buf.lo -MD 
-MP -MF .deps/libvirt_util_la-buf.Tpo -c -o libvirt_util_la-buf.lo `test -f 
'util/buf.c' || echo './'`util/buf.c
libtool: compile:  gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../gnulib/lib 
-I../gnulib/lib -I../include -I../src/util -I../include -DIN_LIBVIRT 
-I/usr/include/libxml2 -Wall -W -Wformat-y2k -Wformat-security -Winit-self 
-Wmissing-include-dirs -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow 
-Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wlogical-op 
-Waggregate-return -Wstrict-prototypes -Wold-style-definition 
-Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn 
-Wmissing-format-attribute -Wredundant-decls -Wnested-externs -Winline 
-Winvalid-pch -Wvolatile-register-var -Wdisabled-optimization 
-Wbuiltin-macro-redefined -Wmudflap -Wpacked-bitfield-compat -Wsync-nand 
-Wattributes -Wcoverage-mismatch -Wmultichar -Wno-missing-field-initializers 
-Wno-sign-compare -Wframe-larger-than=4096 -Wp,-D_FORTIFY_SOURCE=2 
-fstack-protector-all --param=ssp-buffer-size=4 -fexceptions 
-fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time -Werror 
-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -MT libvirt_util_la-buf.lo -MD 
-MP -MF .deps/libvirt_util_la-buf.Tpo -c util/buf.c  -fPIC -DPIC -o 
.libs/libvirt_util_la-buf.o
cc1: warnings being treated as errors
util/buf.c: In function 'virBufferEscape':
util/buf.c:430: error: logical '' with non-zero constant will always evaluate 
as true [-Wlogical-op]
make[3]: *** [libvirt_util_la-buf.lo] Error 1
=

If I remove -O2, I can build util/buf.c.

I am still investigating this problem.

Thanks
Wen Congyang

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCHv2 01/13] virbuf: fix const-correctness

[Hai Dong Li]

On 10/17/2011 10:36 PM, Eric Blake wrote:

On 10/17/2011 05:20 AM, Hai Dong Li wrote:

On 09/30/2011 12:22 AM, Eric Blake wrote:

Although the compiler wasn't complaining (since it was the pointer,
rather than what was being pointed to, that was actually const), it
looks quite suspicious to call a function with an argument labeled
const when the nature of the pointer (virBufferPtr) is hidden behind
a typedef. Dropping const makes the function declarations easier
to read.




+++ b/src/util/buf.c
@@ -39,7 +39,7 @@ struct _virBuffer {
* freeing the content and setting the error flag.
*/
static void
-virBufferSetError(const virBufferPtr buf)
+virBufferSetError(virBufferPtr buf)
{
VIR_FREE(buf-content);
buf-size = 0;
@@ -113,7 +113,7 @@ virBufferAdd(const virBufferPtr buf, const char
*str, int len)


Maybe a typo here?The virBufferPtr still remains const, but the
declaration of this function in the buf.h shows this const is 
removed, too.


No.  Rather, this is an artifact of git diff.  When showing the 
context line for a hunk, it uses the context from the pre-patch file 
(where the 'const' was still present), even though the hunk itself 
applies to the post-patch version without 'const'.  Basically, I never 
worry about the @@ lines - they are there as hints for where to apply 
the patch, and not a definitive part of the patch itself.



Okay, forget the context line.
What I wanted to say is that the function virBufferAdd in the buf.c 
still has the const before the virBufferPtr while the declaration of 
this function in buf.h has const removed, after applying this patch.


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] Compiler warnings

[Wen Congyang]

At 10/18/2011 01:03 AM, Eric Blake Write:
 On 10/17/2011 10:17 AM, Alex Jia wrote:
 Eric,
 It's latest libvirt upstream, current commit id is commit 0a71c79.

 # rpm -q glibc
 glibc-2.12-1.42.el6.x86_64

 
 430 if (strchr(toescape, *cur))
 
  CC libvirt_util_la-buf.lo
 util/buf.c: In function 'virBufferEscape':
 util/buf.c:430: warning: logical '' with non-zero constant will
 always
 evaluate as true [-Wlogical-op]
 
 Something's screwy.  There's no  in that line, unless strchr() is a
 macro based on your particular compilation flags.  I'm suspecting that
 this is a case of -D_FORTIFY_SOURCE going awry.  I don't see how this
 could possibly be a libvirt issue; more likely, it is an issue with the
 choice of compiler flags you are using, coupled with an issue in the
 system headers causing the preprocessor to expand strchr() into
 something that tickles a spurious gcc warning.
 

Yes, strchr() is a macro, I use -E, and get the following:

while (*cur != 0) {
if ((__extension__ (__builtin_constant_p (*cur)  
!__builtin_constant_p (toescape)  (*cur) == '\0' ? (char *) __rawmemchr 
(toescape, *cur) : __builtin_strchr (toescape, *cur
*out++ = '\\';
*out++ = *cur;
cur++;
}
*out = 0;

Thanks
Wen Congyang

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] Compiler warnings

[Wen Congyang]

At 10/18/2011 09:32 AM, Wen Congyang Write:
 At 10/18/2011 01:04 AM, Eric Blake Write:
 On 10/17/2011 11:03 AM, Eric Blake wrote:
 On 10/17/2011 10:17 AM, Alex Jia wrote:
 Eric,
 It's latest libvirt upstream, current commit id is commit 0a71c79.

 # rpm -q glibc
 glibc-2.12-1.42.el6.x86_64


 430 if (strchr(toescape, *cur))

 CC libvirt_util_la-buf.lo
 util/buf.c: In function 'virBufferEscape':
 util/buf.c:430: warning: logical '' with non-zero constant will
 always
 evaluate as true [-Wlogical-op]

 Something's screwy. There's no  in that line, unless strchr() is a
 macro based on your particular compilation flags. I'm suspecting that
 this is a case of -D_FORTIFY_SOURCE going awry. I don't see how this
 could possibly be a libvirt issue; more likely, it is an issue with the
 choice of compiler flags you are using, coupled with an issue in the
 system headers causing the preprocessor to expand strchr() into
 something that tickles a spurious gcc warning.

 Just to make sure, could you show 'make V=1' output, so we know exactly
 which compiler flags are in effect?

 
 I can reproduce this problem, here is 'make V=1' output:
 
 =
 make[3]: Entering directory `/root/rpmbuild/BUILD/libvirt-0.9.6/src'
 /bin/sh ../libtool  --tag=CC   --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H 
 -I. -I.. -I../gnulib/lib -I../gnulib/lib -I../include -I../src/util 
 -I../include -DIN_LIBVIRT-I/usr/include/libxml2   -Wall -W 
 -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs -Wunused 
 -Wunknown-pragmas -Wstrict-aliasing -Wshadow -Wpointer-arith 
 -Wbad-function-cast -Wcast-align -Wwrite-strings -Wlogical-op 
 -Waggregate-return -Wstrict-prototypes -Wold-style-definition 
 -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn 
 -Wmissing-format-attribute -Wredundant-decls -Wnested-externs -Winline 
 -Winvalid-pch -Wvolatile-register-var -Wdisabled-optimization 
 -Wbuiltin-macro-redefined -Wmudflap -Wpacked-bitfield-compat -Wsync-nand 
 -Wattributes -Wcoverage-mismatch -Wmultichar -Wno-missing-field-initializers 
 -Wno-sign-compare -Wframe-larger-than=4096 -Wp,-D_FORTIFY_SOURCE=2 
 -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions 
 -fasynchronous-unwind-tables -fdiagnostics
-s
 how-option -funit-at-a-time -Werror  -O2 -g -pipe -Wall 
 -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
 --param=ssp-buffer-size=4 -m64 -mtune=generic -MT libvirt_util_la-buf.lo -MD 
 -MP -MF .deps/libvirt_util_la-buf.Tpo -c -o libvirt_util_la-buf.lo `test -f 
 'util/buf.c' || echo './'`util/buf.c
 libtool: compile:  gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../gnulib/lib 
 -I../gnulib/lib -I../include -I../src/util -I../include -DIN_LIBVIRT 
 -I/usr/include/libxml2 -Wall -W -Wformat-y2k -Wformat-security -Winit-self 
 -Wmissing-include-dirs -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow 
 -Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wlogical-op 
 -Waggregate-return -Wstrict-prototypes -Wold-style-definition 
 -Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn 
 -Wmissing-format-attribute -Wredundant-decls -Wnested-externs -Winline 
 -Winvalid-pch -Wvolatile-register-var -Wdisabled-optimization 
 -Wbuiltin-macro-redefined -Wmudflap -Wpacked-bitfield-compat -Wsync-nand 
 -Wattributes -Wcoverage-mismatch -Wmultichar -Wno-missing-field-initializers 
 -Wno-sign-compare -Wframe-larger-than=4096 -Wp,-D_FORTIFY_SOURCE=2 
 -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions 
 -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time -Werro
r 
 -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
 --param=ssp-buffer-size=4 -m64 -mtune=generic -MT libvirt_util_la-buf.lo -MD 
 -MP -MF .deps/libvirt_util_la-buf.Tpo -c util/buf.c  -fPIC -DPIC -o 
 .libs/libvirt_util_la-buf.o
 cc1: warnings being treated as errors
 util/buf.c: In function 'virBufferEscape':
 util/buf.c:430: error: logical '' with non-zero constant will always 
 evaluate as true [-Wlogical-op]
 make[3]: *** [libvirt_util_la-buf.lo] Error 1
 =
 
 If I remove -O2, I can build util/buf.c.

I test strchr in a small program:
=
# cat test.c
#include stdio.h
#include string.h

int main() {
char *s = abcdefg;
int chr = (int)'d';
char *d;

d = strchr(s, chr);
if (d)
printf(%s\n, d);

return 0;
}
# gcc -std=c99 -Wall -o test test.c -Wlogical-op -Werror
# gcc -std=c99 -O2 -Wall -o test test.c -Wlogical-op -Werror
cc1: warnings being treated as errors
test.c: In function ‘main’:
test.c:9: error: logical ‘’ with non-zero constant will always evaluate as 
true
# gcc -std=c99 -Wall -o test test.c -Wlogical-op -Werror
# gcc -std=c99 -Wall -o test test.c -Werror
=

The building failed only when '-O2' and '-Wlogical-op' are specified at the 

Re: [libvirt] Compiler warnings

[Alex Jia]

On 10/18/2011 10:09 AM, Wen Congyang wrote:

At 10/18/2011 09:32 AM, Wen Congyang Write:

At 10/18/2011 01:04 AM, Eric Blake Write:

On 10/17/2011 11:03 AM, Eric Blake wrote:

On 10/17/2011 10:17 AM, Alex Jia wrote:

Eric,
It's latest libvirt upstream, current commit id is commit 0a71c79.

# rpm -q glibc
glibc-2.12-1.42.el6.x86_64

430 if (strchr(toescape, *cur))

CC libvirt_util_la-buf.lo
util/buf.c: In function 'virBufferEscape':
util/buf.c:430: warning: logical '' with non-zero constant will
always
evaluate as true [-Wlogical-op]

Something's screwy. There's no  in that line, unless strchr() is a
macro based on your particular compilation flags. I'm suspecting that
this is a case of -D_FORTIFY_SOURCE going awry. I don't see how this
could possibly be a libvirt issue; more likely, it is an issue with the
choice of compiler flags you are using, coupled with an issue in the
system headers causing the preprocessor to expand strchr() into
something that tickles a spurious gcc warning.

Just to make sure, could you show 'make V=1' output, so we know exactly
which compiler flags are in effect?


I can reproduce this problem, here is 'make V=1' output:

=
make[3]: Entering directory `/root/rpmbuild/BUILD/libvirt-0.9.6/src'
/bin/sh ../libtool  --tag=CC   --mode=compile gcc -std=gnu99 -DHAVE_CONFIG_H 
-I. -I.. -I../gnulib/lib -I../gnulib/lib -I../include -I../src/util 
-I../include -DIN_LIBVIRT-I/usr/include/libxml2   -Wall -W -Wformat-y2k 
-Wformat-security -Winit-self -Wmissing-include-dirs -Wunused -Wunknown-pragmas 
-Wstrict-aliasing -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align 
-Wwrite-strings -Wlogical-op -Waggregate-return -Wstrict-prototypes 
-Wold-style-definition -Wmissing-prototypes -Wmissing-declarations 
-Wmissing-noreturn -Wmissing-format-attribute -Wredundant-decls 
-Wnested-externs -Winline -Winvalid-pch -Wvolatile-register-var 
-Wdisabled-optimization -Wbuiltin-macro-redefined -Wmudflap 
-Wpacked-bitfield-compat -Wsync-nand -Wattributes -Wcoverage-mismatch 
-Wmultichar -Wno-missing-field-initializers -Wno-sign-compare 
-Wframe-larger-than=4096 -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector-all 
--param=ssp-buffer-size=4 -fexceptions -fasynchronous-unwind-tables 
-fdiagnostics

-s

how-option -funit-at-a-time -Werror  -O2 -g -pipe -Wall 
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -MT libvirt_util_la-buf.lo -MD 
-MP -MF .deps/libvirt_util_la-buf.Tpo -c -o libvirt_util_la-buf.lo `test -f 
'util/buf.c' || echo './'`util/buf.c
libtool: compile:  gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -I../gnulib/lib 
-I../gnulib/lib -I../include -I../src/util -I../include -DIN_LIBVIRT 
-I/usr/include/libxml2 -Wall -W -Wformat-y2k -Wformat-security -Winit-self 
-Wmissing-include-dirs -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow 
-Wpointer-arith -Wbad-function-cast -Wcast-align -Wwrite-strings -Wlogical-op 
-Waggregate-return -Wstrict-prototypes -Wold-style-definition 
-Wmissing-prototypes -Wmissing-declarations -Wmissing-noreturn 
-Wmissing-format-attribute -Wredundant-decls -Wnested-externs -Winline 
-Winvalid-pch -Wvolatile-register-var -Wdisabled-optimization 
-Wbuiltin-macro-redefined -Wmudflap -Wpacked-bitfield-compat -Wsync-nand 
-Wattributes -Wcoverage-mismatch -Wmultichar -Wno-missing-field-initializers 
-Wno-sign-compare -Wframe-larger-than=4096 -Wp,-D_FORTIFY_SOURCE=2 
-fstack-protector-all --param=ssp-buffer-size=4 -fexceptions 
-fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time -Werro

r

-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector 
--param=ssp-buffer-size=4 -m64 -mtune=generic -MT libvirt_util_la-buf.lo -MD 
-MP -MF .deps/libvirt_util_la-buf.Tpo -c util/buf.c  -fPIC -DPIC -o 
.libs/libvirt_util_la-buf.o
cc1: warnings being treated as errors
util/buf.c: In function 'virBufferEscape':
util/buf.c:430: error: logical '' with non-zero constant will always evaluate 
as true [-Wlogical-op]
make[3]: *** [libvirt_util_la-buf.lo] Error 1
=

If I remove -O2, I can build util/buf.c.

I test strchr in a small program:
=
# cat test.c
#includestdio.h
#includestring.h

int main() {
 char *s = abcdefg;
 int chr = (int)'d';
 char *d;

 d = strchr(s, chr);
 if (d)
 printf(%s\n, d);

 return 0;
}
# gcc -std=c99 -Wall -o test test.c -Wlogical-op -Werror
# gcc -std=c99 -O2 -Wall -o test test.c -Wlogical-op -Werror
cc1: warnings being treated as errors
test.c: In function ‘main’:
test.c:9: error: logical ‘’ with non-zero constant will always evaluate as 
true
# gcc -std=c99 -Wall -o test test.c -Wlogical-op -Werror
# gcc -std=c99 -Wall -o test test.c -Werror
=

The building failed only when '-O2' and '-Wlogical-op' are specified at the 
same time.

[libvirt] [PATCH] compile: Add a missing function 'pciDeviceListFind' to libvirt_private.syms

[Xu He Jie]

compile error:
../src/.libs/libvirt_driver_qemu.a(libvirt_driver_qemu_la-qemu_hostdev.o): In 
function `qemuPrepareHostdevPCIDevices':
/home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:183: undefined 
reference to `pciDeviceListFind'
/home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:230: undefined 
reference to `pciDeviceListFind'
../src/.libs/libvirt_driver_qemu.a(libvirt_driver_qemu_la-qemu_hostdev.o): In 
function `qemuGetActivePciHostDeviceList':
/home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:102: undefined 
reference to `pciDeviceListFind'
../src/.libs/libvirt_driver_qemu.a(libvirt_driver_qemu_la-qemu_hostdev.o): In 
function `qemuDomainReAttachHostdevDevices':
/home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:370: undefined 
reference to `pciDeviceListFind'

Signed-off-by: Xu He Jie x...@linux.vnet.ibm.com
---
 src/libvirt_private.syms |1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 1e03e33..61f4dc4 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -892,6 +892,7 @@ pciDeviceListFree;
 pciDeviceListGet;
 pciDeviceListNew;
 pciDeviceListSteal;
+pciDeviceListFind;
 pciDeviceNetName;
 pciDeviceReAttachInit;
 pciDeviceSetManaged;
-- 
1.7.4.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCHv2 02/13] virbuf: improve testsuite reporting

[Hai Dong Li]

On 09/30/2011 12:22 AM, Eric Blake wrote:

I had some temporary test failures while working on virbuf
improvements in later patches, with output that looked like:

Expected []
Actual []

which is pretty hard to figure out.  Adding an Offset designation
made it much easier to find which particular '' was at the
wrong indentation, to fix the right part of the code.

* tests/testutils.c (virtTestDifference): Make it easier to
diagnose test failures.

I'd like to say I like this tip.

---
  tests/testutils.c |2 +-
  1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/tests/testutils.c b/tests/testutils.c
index 08db732..7eb40f0 100644
--- a/tests/testutils.c
+++ b/tests/testutils.c
@@ -359,7 +359,7 @@ int virtTestDifference(FILE *stream,
  }

  /* Show the trimmed differences */
-fprintf(stream, \nExpect [);
+fprintf(stream, \nOffset %d\nExpect [, (int) (expectStart - expect));
  if ((expectEnd - expectStart + 1)
  fwrite(expectStart, (expectEnd-expectStart+1), 1, stream) != 1)
  return -1;


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] compile: Add a missing function 'pciDeviceListFind' to libvirt_private.syms

[Wen Congyang]

At 10/18/2011 10:46 AM, Xu He Jie Write:
 compile error:
 ../src/.libs/libvirt_driver_qemu.a(libvirt_driver_qemu_la-qemu_hostdev.o): In 
 function `qemuPrepareHostdevPCIDevices':
 /home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:183: undefined 
 reference to `pciDeviceListFind'
 /home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:230: undefined 
 reference to `pciDeviceListFind'
 ../src/.libs/libvirt_driver_qemu.a(libvirt_driver_qemu_la-qemu_hostdev.o): In 
 function `qemuGetActivePciHostDeviceList':
 /home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:102: undefined 
 reference to `pciDeviceListFind'
 ../src/.libs/libvirt_driver_qemu.a(libvirt_driver_qemu_la-qemu_hostdev.o): In 
 function `qemuDomainReAttachHostdevDevices':
 /home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:370: undefined 
 reference to `pciDeviceListFind'
 
 Signed-off-by: Xu He Jie x...@linux.vnet.ibm.com
 ---
  src/libvirt_private.syms |1 +
  1 files changed, 1 insertions(+), 0 deletions(-)
 
 diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
 index 1e03e33..61f4dc4 100644
 --- a/src/libvirt_private.syms
 +++ b/src/libvirt_private.syms
 @@ -892,6 +892,7 @@ pciDeviceListFree;
  pciDeviceListGet;
  pciDeviceListNew;
  pciDeviceListSteal;
 +pciDeviceListFind;

The function is sorted by alphanumeric.

  pciDeviceNetName;
  pciDeviceReAttachInit;
  pciDeviceSetManaged;

Ack with the nit fixed.

Thanks
Wen Congyang

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH] compile: Add a missing function 'pciDeviceListFind' to libvirt_private.syms

[Xu He Jie]

于 2011年10月18日 11:12, Wen Congyang 写道:

At 10/18/2011 10:46 AM, Xu He Jie Write:

compile error:
../src/.libs/libvirt_driver_qemu.a(libvirt_driver_qemu_la-qemu_hostdev.o): In 
function `qemuPrepareHostdevPCIDevices':
/home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:183: undefined 
reference to `pciDeviceListFind'
/home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:230: undefined 
reference to `pciDeviceListFind'
../src/.libs/libvirt_driver_qemu.a(libvirt_driver_qemu_la-qemu_hostdev.o): In 
function `qemuGetActivePciHostDeviceList':
/home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:102: undefined 
reference to `pciDeviceListFind'
../src/.libs/libvirt_driver_qemu.a(libvirt_driver_qemu_la-qemu_hostdev.o): In 
function `qemuDomainReAttachHostdevDevices':
/home/soulxu/data/work-code/libvirt/src/qemu/qemu_hostdev.c:370: undefined 
reference to `pciDeviceListFind'

Signed-off-by: Xu He Jiex...@linux.vnet.ibm.com
---
  src/libvirt_private.syms |1 +
  1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 1e03e33..61f4dc4 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -892,6 +892,7 @@ pciDeviceListFree;
  pciDeviceListGet;
  pciDeviceListNew;
  pciDeviceListSteal;
+pciDeviceListFind;

The function is sorted by alphanumeric.


  pciDeviceNetName;
  pciDeviceReAttachInit;
  pciDeviceSetManaged;

Ack with the nit fixed.

Thanks
Wen Congyang


Thanks
Xu He Jie

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[libvirt] [PATCH v2] qemu: Honor the original properties of PCI device when detaching

[Osier Yang]

This patch fixes two problems:
1) The device will be reattached to host even if it's not
   managed, as there is a pciDeviceSetManaged.
2) The device won't be reattached to host with original
   driver properly. As it doesn't honor the device original
   properties which are maintained by driver-activePciHostdevs.
---
 src/qemu/qemu_hotplug.c |   17 +
 1 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c
index bfa524b..718f223 100644
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1956,6 +1956,7 @@ int qemuDomainDetachHostPciDevice(struct qemud_driver 
*driver,
 qemuDomainObjPrivatePtr priv = vm-privateData;
 int i, ret;
 pciDevice *pci;
+pciDevice *activePci;
 
 for (i = 0 ; i  vm-def-nhostdevs ; i++) {
 if (vm-def-hostdevs[i]-mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS ||
@@ -2015,16 +2016,16 @@ int qemuDomainDetachHostPciDevice(struct qemud_driver 
*driver,
detach-source.subsys.u.pci.bus,
detach-source.subsys.u.pci.slot,
detach-source.subsys.u.pci.function);
-if (!pci)
-ret = -1;
-else {
-pciDeviceSetManaged(pci, detach-managed);
-pciDeviceListDel(driver-activePciHostdevs, pci);
-if (pciResetDevice(pci, driver-activePciHostdevs, NULL)  0)
+if (pci) {
+activePci = pciDeviceListSteal(driver-activePciHostdevs, pci);
+if (pciResetDevice(activePci, driver-activePciHostdevs, NULL))
+qemuReattachPciDevice(activePci, driver);
+else
 ret = -1;
-pciDeviceReAttachInit(pci);
-qemuReattachPciDevice(pci, driver);
 pciFreeDevice(pci);
+pciFreeDevice(activePci);
+} else {
+ret = -1;
 }
 
 if (qemuCapsGet(priv-qemuCaps, QEMU_CAPS_DEVICE) 
-- 
1.7.6

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCHv2 03/13] virbuf: more detailed error reporting

[Hai Dong Li]

On 09/30/2011 12:22 AM, Eric Blake wrote:

The next patch wants to add some sanity checking, which would
be a different error than ENOMEM.  Many existing callers blindly
report OOM failure if virBuf reports an error, and this will be
wrong in the (unlikely) case that they actually had a usage error
instead; but since the most common error really is ENOMEM, I'm
not going to fix all callers.  Meanwhile, new discriminating
callers can react differently depending on what failure happened.

* src/util/buf.c (virBufferSetError): Add parameter.
(virBufferGrow, virBufferVasprintf, virBufferEscapeString)
(virBufferEscapeSexpr): Adjust callers.
---
  src/util/buf.c |   26 +-
  1 files changed, 13 insertions(+), 13 deletions(-)


I checked this patch, it seems everything is all right.

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list