summaryrefslogtreecommitdiffstats
path: root/src/launch.c
Commit message (Collapse)AuthorAgeFilesLines
* Revert "launch: Correction in comment."Richard W.M. Jones2012-07-091-2/+4
| | | | | | | This reverts commit 6e5a85bb9b6557bc337625a339728e23f5f2dd94. It turns out this is a bug in QEMU after all. (cherry picked from commit bd3e42a8ded1ed7a4177ad03646572eb6155a49c)
* launch: Correction in comment.Richard W.M. Jones2012-07-071-4/+2
| | | | | | | | https://bugs.launchpad.net/qemu/+bug/1021649 is invalid, probably caused by a Fedora ROM. This updates commit 52d188e32fb8addb45bf926df07e34ab35898f85. (cherry picked from commit 6e5a85bb9b6557bc337625a339728e23f5f2dd94)
* qemu: Use sgabios by default (thanks Dan Berrange).Richard W.M. Jones2012-07-061-0/+9
| | | | (cherry picked from commit 52d188e32fb8addb45bf926df07e34ab35898f85)
* New API: guestfs_shutdown: Cleanly shutdown the backend.Richard W.M. Jones2012-07-061-11/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The new API splits orderly close into a two-step process: if (guestfs_shutdown (g) == -1) { /* handle the error, eg. qemu error */ } guestfs_close (g); Note that the explicit shutdown step is only necessary in the case where you have made changes to the disk image and want to handle write errors. Read the documentation for further information. This change also: - deprecates guestfs_kill_subprocess - turns guestfs_kill_subprocess into the same as guestfs_shutdown - changes guestfish and other tools to call shutdown + close where necessary (not for read-only tools) - updates documentation - updates examples (cherry picked from commit ffbf1475f7ae7c462db289ad4834391469e72edd)
* Add notes about how qemu cache=none works internally.Richard W.M. Jones2012-07-061-1/+12
| | | | | This is just a comment and has no functional effect. (cherry picked from commit 0437a7905619b8370e25fbae1a3e6388c5277be9)
* Rename qemu option cache=off to cache=none.Richard W.M. Jones2012-07-061-9/+9
| | | | | | | Note that qemu treats these identically, so this change has no functional effect. (cherry picked from commit 1608ca182b094a1dbe22094f39a5e86f18f728b7)
* launch: Avoid double-close when qemu exits early.Richard W.M. Jones2012-06-281-2/+6
| | | | | | | | | | | | | | | | The stdin and stdout of the qemu process are aliased to g->fd: g->fd[0] = wfd[1]; g->fd[1] = rfd[0]; However if the child exits early, then child_cleanup closes g->fd[0], g->fd[1], AND the code at the cleanup1 label closes wfd[1], rfd[0], resulting in a double-close. Avoid this case by setting wfd[1], rfd[0] to -1. In the cleanup1 label, only close wfd[1], rfd[0] if they are not -1, and add the same for g->fd[0], g->fd[1]. (cherry picked from commit c87956837e962072fff61edef5b18e55ad42d730)
* launch: Ensure errno from test_qemu_cmd is captured and printed.Richard W.M. Jones2012-06-281-5/+3
| | | | (cherry picked from commit 9e221e55b61e9f1cd0caf292ca609a4ca26f1d4d)
* launch: Set g->sock = -1 to avoid double-close.Richard W.M. Jones2012-06-281-0/+1
| | | | | This fixes commit ef5c02c6ee72eb8e127115923951777a2c2b8480. (cherry picked from commit 11317b5d1243f3afc35f7abe8edc646f75813e36)
* launch: Log errors from close syscall.Richard W.M. Jones2012-06-281-1/+6
| | | | (cherry picked from commit ef5c02c6ee72eb8e127115923951777a2c2b8480)
* arm: Use #if defined instead of #ifdef.Richard W.M. Jones2012-06-211-1/+1
| | | | | No functional change. (cherry picked from commit 4e5d3b06fb2f366c0010ae6aa15f9dee74261917)
* ppc64: Avoid "defined by not used" warning for is_openable function.Richard W.M. Jones2012-06-211-0/+4
| | | | (cherry picked from commit 450493cf6b563389bd11f02284bd22d7ed90b5da)
* qemu: Move -nodefaults etc logically together.Richard W.M. Jones2012-05-121-16/+16
| | | | This is just code motion.
* arm: Add configure flag '--with-qemu-options'.Richard W.M. Jones2012-05-121-0/+65
| | | | | | | This flag allows extra QEMU options to be passed on the command line. This is useful mainly on arm (see the notes in the updated README file).
* arm: Disable -machine, -enable-kvm options except on x86, x86-64.Richard W.M. Jones2012-05-121-0/+5
| | | | | | | Presently KVM is only applicable to x86 and x86-64 (although that will change in future, and there are rumoured to be implementations for some current non-x86 architectures). In any case having these options breaks ARM, so disable them for non-x86 architectures at the moment.
* arm: On Linux ARM kernels, the serial console is ttyAMA0.Richard W.M. Jones2012-05-121-1/+7
| | | | Cope with unnecessary lack of standardization.
* arm: Disable test for -no-hpet during launch.Richard W.M. Jones2012-05-121-0/+8
|
* lib: Remove the BUSY state.Richard W.M. Jones2012-04-261-1/+2
| | | | | | | | | | | | | | | Originally this state was intended so that in some way you could find out if the appliance was running a command. However there was never a thread-safe way to access the state of the handle, so in effect you could never do anything useful safely with this information. This commit completely removes the BUSY state. The only visible change is to the guestfs_is_busy API. Previously you could never call this safely from another thread. If you called it from the same thread it would always return false (since the current thread can't be running a libguestfs command at that point by definition). Now it always returns false.
* lib: Escape , as ,, on qemu command line (RHBZ#811649).Richard W.M. Jones2012-04-121-3/+16
|
* lib: Remove check_path function, limitation is colon, not comma (RHBZ#811649).Richard W.M. Jones2012-04-121-12/+8
| | | | | | | | | | | | | | | Remove the bogus check_path function and move the functionality into the two places where it was being used. qemu -cdrom , works fine, I tested it. Colon cannot be used in a block device filename anywhere, since the qemu block driver interprets it as a prefix. There is no known way to work around this problem. I checked this is true with kwolf. Comma is fine in -drive options, provided it is escaped by doubling it.
* Revert "launch: don't add a drive twice"Richard W.M. Jones2012-04-121-19/+2
| | | | This reverts commit be47b66c3033105a2b880dbc10bfc2b163b7eafe.
* launch: Set error when qemu fails early during launch (RHBZ#811650).Richard W.M. Jones2012-04-111-1/+4
| | | | | This caused the Python bindings (and probably others) to segfault because guestfs_last_error(g) would return NULL.
* Use O_CLOEXEC / SOCK_CLOEXEC for almost all file descriptors.Richard W.M. Jones2012-03-141-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | The presumption is that all file descriptors should be created with the close-on-exec flag set. The only exception are file descriptors that we want passed through to exec'd subprocesses (mainly pipes and stdin/stdout/stderr). For open calls, we pass O_CLOEXEC as an extra flag, eg: fd = open ("foo", O_RDONLY|O_CLOEXEC); This is a Linux-ism, but using a macro we can easily make it portable. For sockets, similarly: sock = socket (..., SOCK_STREAM|SOCK_CLOEXEC, ...); For accepted sockets, we use the Linux accept4 system call which allows flags to be supplied, but we use the Gnulib 'accept4' module to make this portable. For dup, dup2, we use the Linux dup3 system call, and the Gnulib modules 'dup3' and 'cloexec'.
* lib: Remove some unused variables.Richard W.M. Jones2012-03-121-1/+0
|
* Close all file descriptors and remove all signal handlers in the recovery ↵Richard W.M. Jones2012-03-091-0/+25
| | | | | | | | | | | | | | | | | process. If the parent process uses a pipe (or any fd, but pipes are a particular problem), then the recovery process would hold open the file descriptor(s) of the pipe, meaning that it could not be fully closed in the parent. Because the recovery process doesn't use exec(2), this wasn't avoidable even using FD_CLOEXEC. Avoid this by closing all file descriptors when starting the recovery process. After discussion with Dan Berrange, he points out that it's also a good idea to set signal handlers to the default after forking, so that any signal handlers set up in the parent don't affect the child.
* Rebrand 'ordinary appliance' as 'old-style appliance'.Richard W.M. Jones2012-03-031-1/+1
| | | | This is just code motion.
* appliance: Make appliance building thread-safe (RHBZ#790721).Richard W.M. Jones2012-02-151-1/+12
| | | | | | | | | | | | | | | Appliance building can be called from multiple processes, but this is only safe if each process holds a lock on the 'checksum' file. However threads within a process are not excluded by a file lock, and so this strategy completely failed for a multithreaded program calling guestfs_launch in parallel. Since it makes no sense for threads in a single program to race each other to try to create the appliance, add a lock around appliance building. This serialises building the appliance, but the rest of guestfs_launch (eg. starting up qemu) can run in parallel.
* Enable running the daemon under valgrind.Richard W.M. Jones2012-01-241-0/+10
| | | | | | | | | | | | | | | | | This commit allows you to run the daemon under valgrind. You have to enable it at configure time: ./configure --enable-valgrind-daemon This should *not* be done for production builds. When this feature is enabled, valgrind is added to the appliance and the daemon is run under valgrind. Log messages from valgrind are passed back over a virtio-serial channel into a file called 'valgrind.log.$PID' in the top build directory. Running 'make check', 'make extra-tests' etc causes many valgrind.log.* files to be created which must be examined by hand.
* Tempus fugit.Richard W.M. Jones2012-01-181-1/+1
| | | | Update all copyright dates to 2012.
* Allow /dev/null to be added multiple times.Richard W.M. Jones2012-01-101-1/+8
| | | | | | | | Change the test for duplicate drives so that you're allowed to add /dev/null multiple times. This corresponds to traditional usage. This amends commit be47b66c3033105a2b880dbc10bfc2b163b7eafe.
* launch: move the filename checking to a wrapperWanlong Gao2012-01-091-6/+12
| | | | | | Move the filename's comma character checking to a wrapper. Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
* launch: don't add a drive twiceWanlong Gao2012-01-091-2/+12
| | | | | | | | | | | | | | 1. Change the g->path to restore a absolute path instead of the mixed. 2. Check that if the adding drive is duplicated with the added drive. Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com> RWMJ: - Make sure abs_path is NULL before it is assigned, so freeing it will work along the error path. - Fix the test which added /dev/null multiple times.
* launch: add a goto label when add_drive errorWanlong Gao2012-01-091-18/+11
| | | | | | | Code cleanup. Add a goto label to simplify the code. Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
* lib: Add guestfs___remove_tmpdir helper function.Richard W.M. Jones2011-12-231-0/+30
| | | | | | | This function does 'rm -rf <dir>' for temporary directories, safely working if '<dir>' contains shell meta-characters. Replace existing code for removing directories with this.
* Security: Mitigate possible privilege escalation via SG_IO ioctl ↵Richard W.M. Jones2011-12-221-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (CVE-2011-4127, RHBZ#757071) CVE-2011-4127 is a serious qemu & kernel privilege escalation bug found by Paolo Bonzini. http://seclists.org/oss-sec/2011/q4/536 An untrusted guest kernel is able to issue special SG_IO ioctls on virtio devices which qemu passes through to the host kernel without filtering or sanitizing. These ioctls allow raw sectors from the underlying host device to be read and written. Significantly, neither qemu nor the host kernel checks that the range of sectors is within the partition / LV assigned to the guest. For example, if the guest is assigned host partition /dev/sda3, it would be able to read or write any part of /dev/sda including other partitions and the boot sector. Exploits through LVs passed to the guest are also possible, with some limitations. File-backed virtual block devices are not vulnerable. Non-virtio block devices are not vulnerable. This patch mitigates the problem by disabling the SG_IO ioctl passthrough in qemu. Thus if libguestfs is examining an untrusted guest and the libguestfs appliance/daemon is compromised (eg. by executing guest commands, or through some other compromise), then the compromised appliance will not be able to issue the above SG_IO ioctls and exploit the host. Note that this is just mitigation for libguestfs. Users will still want to fully update their host kernel, qemu/KVM and libvirt, in order to prevent other (non-libguestfs) routes to compromise. The following versions of libguestfs (will/have) this patch applied. libguestfs >= 1.15.13 libguestfs >= 1.14.8 libguestfs >= 1.12.11 libguestfs >= 1.10.12 libguestfs >= 1.8.16 Earlier versions may be vulnerable unless a downstream packager has applied this patch. Cc: Hilko Bengen <bengen@hilluzination.de>
* Add test for qemu broken -machine option (RHBZ#748266).Richard W.M. Jones2011-10-241-0/+12
| | | | | | | Also add this option, if necessary, when testing for virtio-serial support. When the workaround is enabled, we specify machine type 'pc'.
* add-drive-opts: Correctly handle unreadable and unwritable files (RHBZ#747287).Richard W.M. Jones2011-10-211-3/+14
|
* lib: Common code for formatting the qemu -drive parameter.Richard W.M. Jones2011-10-211-28/+32
| | | | This is just code refactoring.
* inspect: Add drive naming hintsMatthew Booth2011-10-191-0/+8
| | | | | | | | | | | We currently use a heuristic to guess how drive names we find referenced in the guest map to drive names in the appliance. If this heuristic fails it can cause inspection to fail. This change adds a new 'name' option to add_drive_opts, which allows the user to explicitly pass the name of a drive to libguestfs if it is known. This change also updates the fstab-parsing inspection code to use this information if it is available.
* launch: Store drive information in guestfs_hMatthew Booth2011-10-191-31/+89
| | | | | | | | | | | | | | | | | | This is a NFC on its own, but provides a place-holder for drive metadata which can be used after launch. Fixes by RWMJ: - Fix the tests: this requires a new internal function 'debug-drives' that dumps out the g->drives information so it can be checked in two of the tests. Previously these tests used 'debug-cmdline'. - Test file existence / use_cache_off in the add_drive_opts function, not when launching qemu in the child process. - Call free along error paths. - Add comments.
* launch: Ensure g->cmdline is allocated before assigning g->cmdline[0].Richard W.M. Jones2011-10-191-7/+14
|
* Add systemtap/DTrace probes.Richard W.M. Jones2011-10-101-0/+10
| | | | | Mainly this is a documentation change. However a sample of DTrace-compatible userspace probes are also added.
* New API: set-smp, get-smpRichard W.M. Jones2011-09-281-0/+6
| | | | | | | These calls allow you to change the number of virtual CPUs assigned to the appliance. This also adds a --smp option to virt-rescue.
* Add no_timer_check to disable faulty test during boot (RHBZ#502058).Richard W.M. Jones2011-09-261-0/+1
| | | | | | | | | See: https://bugzilla.redhat.com/show_bug.cgi?id=502058#c15 https://bugzilla.redhat.com/show_bug.cgi?id=698842#c8 This updates commit 79e66f89e2f6c27486476d7857da58feb491bf5c.
* Enable APIC.Richard W.M. Jones2011-09-211-1/+0
| | | | | | | | | Originally this was disabled to work around RHBZ#502058. That bug was never officially fixed, but it may have fixed itself. In the meantime, KVM has broken ordinary PIC support (RHBZ#723822). Since APIC is the most common way that regular Linux and Windows guests run it makes sense to remove this hack.
* test_qemu: Improve the error message.Richard W.M. Jones2011-08-231-1/+2
| | | | | Note that errno is probably not set to a useful value here, so there is not much point recording it.
* test_qemu: pclose may return any != 0 on error.Richard W.M. Jones2011-08-231-1/+1
| | | | In particular pclose returns a status > 0 if the command fails.
* qemu detection: Free up previous qemu help/version strings if they exist.Richard W.M. Jones2011-08-231-0/+5
|
* Coverity: test_qemu: Ensure FILE * is not leaked along error paths.Richard W.M. Jones2011-08-231-15/+21
| | | | | This refactors the code in test_qemu slightly to ensure that FILE *fp is not leaked on error paths.
* Remove guestfs___print_timestamped_argv.Richard W.M. Jones2011-08-181-44/+38
| | | | | | | | | | | | | | | | | | | | | | | This function was used to print the qemu and febootstrap-supermin-helper command lines. Unfortunately in the qemu case it was used incorrectly: it called the internal debug function (ie. event API callback) from the forked qemu subprocess, which meant that higher level event callbacks might have been invoked from the child process. To fix this, convert the qemu case into a new function called print_qemu_command line which just prints the command line directly to stderr. This is called after stderr has been redirected into the pipe to the main process. Thus the qemu command line will be marshalled into the event API along with other qemu and appliance output. After fixing this, only one use of guestfs___print_timestamped_argv remained, for printing the febootstrap-supermin-helper command line. This is converted to a local function print_febootstrap_command_line. Also print_febootstrap_command_line is now called before we fork febootstrap-supermin-helper, so that messages no longer overlap.
generated by cgit (git 2.34.1) at 2025-09-01 10:26:43 +0000