| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Update all copyright dates to 2012.
|
| |
|
|
|
|
|
|
| |
Change the test for duplicate drives so that you're allowed to
add /dev/null multiple times. This corresponds to traditional
usage.
This amends commit be47b66c3033105a2b880dbc10bfc2b163b7eafe.
|
| |
|
|
|
|
| |
Move the filename's comma character checking to a wrapper.
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Change the g->path to restore a absolute path instead of the mixed.
2. Check that if the adding drive is duplicated with the added drive.
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
RWMJ:
- Make sure abs_path is NULL before it is assigned, so freeing it
will work along the error path.
- Fix the test which added /dev/null multiple times.
|
| |
|
|
|
|
|
| |
Code cleanup.
Add a goto label to simplify the code.
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
|
| |
|
|
|
|
|
| |
This function does 'rm -rf <dir>' for temporary directories, safely
working if '<dir>' contains shell meta-characters.
Replace existing code for removing directories with this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(CVE-2011-4127, RHBZ#757071)
CVE-2011-4127 is a serious qemu & kernel privilege escalation bug
found by Paolo Bonzini.
http://seclists.org/oss-sec/2011/q4/536
An untrusted guest kernel is able to issue special SG_IO ioctls on
virtio devices which qemu passes through to the host kernel without
filtering or sanitizing. These ioctls allow raw sectors from the
underlying host device to be read and written. Significantly, neither
qemu nor the host kernel checks that the range of sectors is within
the partition / LV assigned to the guest. For example, if the guest
is assigned host partition /dev/sda3, it would be able to read or
write any part of /dev/sda including other partitions and the boot
sector. Exploits through LVs passed to the guest are also possible,
with some limitations. File-backed virtual block devices are not
vulnerable. Non-virtio block devices are not vulnerable.
This patch mitigates the problem by disabling the SG_IO ioctl
passthrough in qemu. Thus if libguestfs is examining an untrusted
guest and the libguestfs appliance/daemon is compromised (eg. by
executing guest commands, or through some other compromise), then the
compromised appliance will not be able to issue the above SG_IO ioctls
and exploit the host.
Note that this is just mitigation for libguestfs. Users will still
want to fully update their host kernel, qemu/KVM and libvirt, in order
to prevent other (non-libguestfs) routes to compromise.
The following versions of libguestfs (will/have) this patch applied.
libguestfs >= 1.15.13
libguestfs >= 1.14.8
libguestfs >= 1.12.11
libguestfs >= 1.10.12
libguestfs >= 1.8.16
Earlier versions may be vulnerable unless a downstream packager has
applied this patch.
Cc: Hilko Bengen <bengen@hilluzination.de>
|
| |
|
|
|
|
|
| |
Also add this option, if necessary, when testing for virtio-serial
support.
When the workaround is enabled, we specify machine type 'pc'.
|
| | |
|
| |
|
|
| |
This is just code refactoring.
|
| |
|
|
|
|
|
|
|
|
|
| |
We currently use a heuristic to guess how drive names we find
referenced in the guest map to drive names in the appliance. If this
heuristic fails it can cause inspection to fail.
This change adds a new 'name' option to add_drive_opts, which allows
the user to explicitly pass the name of a drive to libguestfs if it is
known. This change also updates the fstab-parsing inspection code to
use this information if it is available.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a NFC on its own, but provides a place-holder for drive metadata which
can be used after launch.
Fixes by RWMJ:
- Fix the tests: this requires a new internal function 'debug-drives'
that dumps out the g->drives information so it can be checked in
two of the tests. Previously these tests used 'debug-cmdline'.
- Test file existence / use_cache_off in the add_drive_opts function,
not when launching qemu in the child process.
- Call free along error paths.
- Add comments.
|
| | |
|
| |
|
|
|
| |
Mainly this is a documentation change. However a sample of
DTrace-compatible userspace probes are also added.
|
| |
|
|
|
|
|
| |
These calls allow you to change the number of virtual CPUs assigned to
the appliance.
This also adds a --smp option to virt-rescue.
|
| |
|
|
|
|
|
|
|
| |
See:
https://bugzilla.redhat.com/show_bug.cgi?id=502058#c15
https://bugzilla.redhat.com/show_bug.cgi?id=698842#c8
This updates commit 79e66f89e2f6c27486476d7857da58feb491bf5c.
|
| |
|
|
|
|
|
|
|
| |
Originally this was disabled to work around RHBZ#502058. That bug was
never officially fixed, but it may have fixed itself.
In the meantime, KVM has broken ordinary PIC support (RHBZ#723822).
Since APIC is the most common way that regular Linux and Windows
guests run it makes sense to remove this hack.
|
| |
|
|
|
| |
Note that errno is probably not set to a useful value here, so there
is not much point recording it.
|
| |
|
|
| |
In particular pclose returns a status > 0 if the command fails.
|
| | |
|
| |
|
|
|
| |
This refactors the code in test_qemu slightly to ensure that
FILE *fp is not leaked on error paths.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This function was used to print the qemu and
febootstrap-supermin-helper command lines.
Unfortunately in the qemu case it was used incorrectly: it called the
internal debug function (ie. event API callback) from the forked qemu
subprocess, which meant that higher level event callbacks might have
been invoked from the child process.
To fix this, convert the qemu case into a new function called
print_qemu_command line which just prints the command line directly to
stderr. This is called after stderr has been redirected into the pipe
to the main process. Thus the qemu command line will be marshalled
into the event API along with other qemu and appliance output.
After fixing this, only one use of guestfs___print_timestamped_argv
remained, for printing the febootstrap-supermin-helper command line.
This is converted to a local function print_febootstrap_command_line.
Also print_febootstrap_command_line is now called before we fork
febootstrap-supermin-helper, so that messages no longer overlap.
|
| | |
|
| |
|
|
|
|
|
| |
This function is like qemu_supports, but allows us to grep
the help text using regular expressions.
Note the function is not used yet.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
If the pgroup flag is set in the handle, then the qemu and recovery
subprocesses are placed in separate process groups. The default is
false.
The purpose for setting up a process group is that ^C will not be
passed from the main process down to these processes (killing them).
This allows ^C and other keyboard events to be caught and handled in
the main process.
|
| | |
|
| |
|
|
|
|
|
|
| |
Because of the previous change to size_t, when pos == 0 the loop would
wrap around and cause a segmentation fault.
This fixes a regression introduced by
commit 10167cea98f93a74abe63f0a54d3a662997e7489.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit generates approximate progress messages during the
guestfs_launch call. Currently this code generates:
0 / 12: launch clock starts
3 / 12: appliance created
6 / 12: detected that guest kernel started
9 / 12: detected that /init script is running
12 / 12: launch completed successfully
(Note this is not an ABI and may be changed or removed in a future
version).
Progress messages are only generated at all if 5 seconds have elapsed
since the launch, and they are only generated for the ordinary
appliance (not if using attach-method to attach to an existing virtio
serial port).
|
| |
|
|
| |
This is just code motion.
|
| |
|
|
|
|
|
|
| |
No functional change; this simply makes the purpose of the
socket clearer.
Notes:
Labels: cleanup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This API allows more than one callback to be registered for each
event, makes it possible to call the API from other languages, and
allows [nearly all] log, debug and trace messages to be rerouted from
stderr.
An older version of this API was discussed on the mailing list here:
https://www.redhat.com/archives/libguestfs/2010-December/msg00081.html
https://www.redhat.com/archives/libguestfs/2011-January/msg00012.html
This also updates guestfish to use the new API for its progress bars.
|
| |
|
|
| |
Signed-off-by: Angus Salkeld <asalkeld@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Allow connections to a Unix domain socket which is connected
(via virtio-serial) to a guestfsd running free in an existing
guest.
In order to use this you have to add the following element
to the libvirt XML:
<channel type='unix'>
<source mode='bind' path='/tmp/socket'/>
<target type='virtio' name='org.libguestfs.channel.0'/>
</channel>
(or perform the equivalent on the qemu command line).
Then in guestfish, you can do:
guestfish \
attach-method unix:/tmp/socket : \
run : \
ll /
(or any other commands as desired).
|
| |
|
|
| |
This is just code motion.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The FHS advises large files not to be stored in the root
filesystem[1], and that /var/tmp is persistent across reboots[2]
(whereas /tmp is possibly not[3]).
Therefore we should store the large cached supermin appliance in
/var/tmp instead of /tmp. /tmp is still used for all other temporary
files and directories.
In either case you can override this by setting $TMPDIR.
[1] http://www.pathname.com/fhs/pub/fhs-2.3.html#THEROOTFILESYSTEM
[2] http://www.pathname.com/fhs/pub/fhs-2.3.html#VARTMPTEMPORARYFILESPRESERVEDBETWEE
[3] http://www.pathname.com/fhs/pub/fhs-2.3.html#TMPTEMPORARYFILES
|
| |
|
|
| |
(Revealed by compiling under Debian where this is a warning).
|
| |
|
|
|
| |
This is an internal-only debugging API so may be changed or
removed at any time in the future.
|
| |
|
|
|
| |
This internal interface can be used to ensure that certain
operations are atomic.
|
| |
|
|
|
|
|
| |
This function generalises the existing print_cmdline used to output the qemu
command line to output any given command line, and exports it to other modules.
It also adds a timestamp to the old print_cmdline output for consistency with
guestfs___print_timestamped_message.
|
| |
|
|
|
|
|
|
|
|
| |
Commit 4963be85 re-introduced networking to the appliance,
but didn't configure the custom network the appliance expects
since we switched to link local addressing. This patch
configures QEMU to use the custom network again.
Note that you still need to use guestfs_set_network (g, 1)
to enable user networking.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This large commit changes the generator so that optional arguments
can be supported for functions.
The model for arguments (known as the "style") is changed from
(ret, args) to (ret, args, optargs) where optargs is a more limited
list of arguments.
One function has been added which takes optional arguments, it is
"add-drive-opts", modelled as:
(RErr, [String "filename"], #required
[Bool "readonly"; String "format"; String "iface"]) #optional
Note that this function is processed in the library (does not go over
the RPC protocol to the daemon). This has allowed us to simplify
the current implementation by omitting changes related to RPC or the
daemon, although we plan to add these at some point in the future.
From C this function can be called in 3 different ways as in these
examples:
guestfs_add_drive_opts (g, filename,
GUESTFS_ADD_DRIVE_OPTS_READONLY, 1,
GUESTFS_ADD_DRIVE_OPTS_FORMAT, "raw",
-1);
(the argument(s) between 'filename' and '-1' are the optional ones).
guestfs_add_drive_opts_va (g, filename, args);
where 'args' is a va_list. This works like the first version.
struct guestfs_add_drive_opts_argv optargs = {
.bitmask = GUESTFS_ADD_DRIVE_OPTS_READONLY_BITMASK,
.readonly = 1,
}
guestfs_add_drive_opts_argv (g, filename, &optargs);
This last form lets you construct lists of optional arguments, and
is used by guestfish and the language bindings.
In guestfish optional arguments are used like this:
add-drive-opts filename readonly:true
In OCaml these are mapped naturally to OCaml optional arguments, eg:
g#add_drive_opts ~readonly:true filename;
In Perl these are mapped to extra arguments, eg:
$g->add_drive_opts ($filename, readonly => 1);
In Python these are mapped to optional arguments, eg:
g.add_drive_opts ("file", readonly = 1, format = "qcow2")
In Ruby these are mapped to a final hash argument, eg:
g.add_drive_opts("file", {})
g.add_drive_opts("file", :readonly => 1)
g.add_drive_opts("file", :readonly => 1, :iface => "virtio")
In PHP these are mapped to extra parameters. This is not quite
accurate since you cannot omit arbitrary optional parameters, but
there's not much than can be done within the limitations of PHP
as a language.
Unimplemented in: Haskell, C#, Java.
|
| |
|
|
|
|
|
| |
Be more consistent in allowing the user to override use of the
temporary directory by specifying $TMPDIR. Also prefer P_tmpdir
macro (defined in <stdio.h>) if that is defined, rather than
hard-coding "/tmp" for the fallback location.
|
| |
|
|
|
|
|
| |
This frees the string containing the name of the appliance
which was previously being leaked during launch.
(Found by valgrind).
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Without this option, qemu will read some defaults from /etc/qemu/
configuration files.
|
