| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new API splits orderly close into a two-step process:
if (guestfs_shutdown (g) == -1) {
/* handle the error, eg. qemu error */
}
guestfs_close (g);
Note that the explicit shutdown step is only necessary in the case
where you have made changes to the disk image and want to handle write
errors. Read the documentation for further information.
This change also:
- deprecates guestfs_kill_subprocess
- turns guestfs_kill_subprocess into the same as guestfs_shutdown
- changes guestfish and other tools to call shutdown + close
where necessary (not for read-only tools)
- updates documentation
- updates examples
|
| |
|
|
| |
This is just a comment and has no functional effect.
|
| |
|
|
|
| |
Note that qemu treats these identically, so this change has
no functional effect.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The stdin and stdout of the qemu process are aliased to g->fd:
g->fd[0] = wfd[1];
g->fd[1] = rfd[0];
However if the child exits early, then child_cleanup closes g->fd[0],
g->fd[1], AND the code at the cleanup1 label closes wfd[1], rfd[0],
resulting in a double-close.
Avoid this case by setting wfd[1], rfd[0] to -1. In the cleanup1
label, only close wfd[1], rfd[0] if they are not -1, and add the same
for g->fd[0], g->fd[1].
|
| | |
|
| |
|
|
| |
This fixes commit ef5c02c6ee72eb8e127115923951777a2c2b8480.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Old KVM can't add /dev/null readonly. Treat /dev/null as a special
case.
We also fix a few tests where /dev/null was being used with
format=qcow2. This was always incorrect behaviour, but qemu appears
to tolerate it.
|
| |
|
|
| |
This fixes commit 295d6af48d1d8c5238d1536b0c6a2ece42b0b445.
|
| |
|
|
|
| |
In Koji, when you've got 200+ disks, udev times out before all the
udev events have been processed.
|
| |
|
|
| |
Returns the maximum number of disks that may be added to a handle.
|
| |
|
|
| |
This fixes commit 0c0a7d0d868d153adf0600189f771459e1068b0a.
|
| |
|
|
| |
This requires febootstrap >= 3.15.
|
| |
|
|
|
| |
This allows us to find out what qemu devices are supported
at runtime.
|
| |
|
|
|
|
|
|
|
|
|
| |
QEMU 1.0 was released at the end of 2011.
Remove all the cruft about detecting broken -machine type which
was only required for QEMU 0.15.
This also reverts commit 30ecbf3ec2ada68f7e125a180553e31b069033b7.
Even on ARM you can pass -machine accel=kvm:tcg and qemu does the
right thing, so I'm not sure why we wanted to disable that.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
These were used to select the default drive and network interface.
They both default to 'virtio'.
These were added back in the day when virtio was buggy, so that
packagers could revert to using ide/ne2k_pci to work around distro
bugs. However virtio has been stable in qemu for a very long time, so
it seems unlikely that any packager would need to use these, and in
any case it would be better to do this detection at runtime (cf. for
virtio-scsi).
|
| |
|
|
| |
No functional change.
|
| | |
|
| |
|
|
| |
This is just code motion.
|
| |
|
|
|
|
|
| |
This flag allows extra QEMU options to be passed on the command line.
This is useful mainly on arm (see the notes in the updated README
file).
|
| |
|
|
|
|
|
| |
Presently KVM is only applicable to x86 and x86-64 (although that will
change in future, and there are rumoured to be implementations for
some current non-x86 architectures). In any case having these options
breaks ARM, so disable them for non-x86 architectures at the moment.
|
| |
|
|
| |
Cope with unnecessary lack of standardization.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Originally this state was intended so that in some way you could find
out if the appliance was running a command. However there was never a
thread-safe way to access the state of the handle, so in effect you
could never do anything useful safely with this information.
This commit completely removes the BUSY state.
The only visible change is to the guestfs_is_busy API. Previously you
could never call this safely from another thread. If you called it
from the same thread it would always return false (since the current
thread can't be running a libguestfs command at that point by
definition). Now it always returns false.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove the bogus check_path function and move the functionality into
the two places where it was being used.
qemu -cdrom ,
works fine, I tested it.
Colon cannot be used in a block device filename anywhere, since the
qemu block driver interprets it as a prefix. There is no known way to
work around this problem. I checked this is true with kwolf.
Comma is fine in -drive options, provided it is escaped by doubling it.
|
| |
|
|
| |
This reverts commit be47b66c3033105a2b880dbc10bfc2b163b7eafe.
|
| |
|
|
|
| |
This caused the Python bindings (and probably others) to
segfault because guestfs_last_error(g) would return NULL.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The presumption is that all file descriptors should be created with
the close-on-exec flag set. The only exception are file descriptors
that we want passed through to exec'd subprocesses (mainly pipes and
stdin/stdout/stderr).
For open calls, we pass O_CLOEXEC as an extra flag, eg:
fd = open ("foo", O_RDONLY|O_CLOEXEC);
This is a Linux-ism, but using a macro we can easily make it portable.
For sockets, similarly:
sock = socket (..., SOCK_STREAM|SOCK_CLOEXEC, ...);
For accepted sockets, we use the Linux accept4 system call which
allows flags to be supplied, but we use the Gnulib 'accept4' module to
make this portable.
For dup, dup2, we use the Linux dup3 system call, and the Gnulib
modules 'dup3' and 'cloexec'.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
process.
If the parent process uses a pipe (or any fd, but pipes are a
particular problem), then the recovery process would hold open the
file descriptor(s) of the pipe, meaning that it could not be fully
closed in the parent. Because the recovery process doesn't use
exec(2), this wasn't avoidable even using FD_CLOEXEC.
Avoid this by closing all file descriptors when starting the recovery
process.
After discussion with Dan Berrange, he points out that it's also a
good idea to set signal handlers to the default after forking, so that
any signal handlers set up in the parent don't affect the child.
|
| |
|
|
| |
This is just code motion.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Appliance building can be called from multiple processes, but this is
only safe if each process holds a lock on the 'checksum' file.
However threads within a process are not excluded by a file lock, and
so this strategy completely failed for a multithreaded program calling
guestfs_launch in parallel.
Since it makes no sense for threads in a single program to race each
other to try to create the appliance, add a lock around appliance
building.
This serialises building the appliance, but the rest of guestfs_launch
(eg. starting up qemu) can run in parallel.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit allows you to run the daemon under valgrind. You have to
enable it at configure time:
./configure --enable-valgrind-daemon
This should *not* be done for production builds.
When this feature is enabled, valgrind is added to the appliance and
the daemon is run under valgrind. Log messages from valgrind are
passed back over a virtio-serial channel into a file called
'valgrind.log.$PID' in the top build directory.
Running 'make check', 'make extra-tests' etc causes many
valgrind.log.* files to be created which must be examined by hand.
|
| |
|
|
| |
Update all copyright dates to 2012.
|
| |
|
|
|
|
|
|
| |
Change the test for duplicate drives so that you're allowed to
add /dev/null multiple times. This corresponds to traditional
usage.
This amends commit be47b66c3033105a2b880dbc10bfc2b163b7eafe.
|
| |
|
|
|
|
| |
Move the filename's comma character checking to a wrapper.
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. Change the g->path to restore a absolute path instead of the mixed.
2. Check that if the adding drive is duplicated with the added drive.
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
RWMJ:
- Make sure abs_path is NULL before it is assigned, so freeing it
will work along the error path.
- Fix the test which added /dev/null multiple times.
|
| |
|
|
|
|
|
| |
Code cleanup.
Add a goto label to simplify the code.
Signed-off-by: Wanlong Gao <gaowanlong@cn.fujitsu.com>
|
| |
|
|
|
|
|
| |
This function does 'rm -rf <dir>' for temporary directories, safely
working if '<dir>' contains shell meta-characters.
Replace existing code for removing directories with this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(CVE-2011-4127, RHBZ#757071)
CVE-2011-4127 is a serious qemu & kernel privilege escalation bug
found by Paolo Bonzini.
http://seclists.org/oss-sec/2011/q4/536
An untrusted guest kernel is able to issue special SG_IO ioctls on
virtio devices which qemu passes through to the host kernel without
filtering or sanitizing. These ioctls allow raw sectors from the
underlying host device to be read and written. Significantly, neither
qemu nor the host kernel checks that the range of sectors is within
the partition / LV assigned to the guest. For example, if the guest
is assigned host partition /dev/sda3, it would be able to read or
write any part of /dev/sda including other partitions and the boot
sector. Exploits through LVs passed to the guest are also possible,
with some limitations. File-backed virtual block devices are not
vulnerable. Non-virtio block devices are not vulnerable.
This patch mitigates the problem by disabling the SG_IO ioctl
passthrough in qemu. Thus if libguestfs is examining an untrusted
guest and the libguestfs appliance/daemon is compromised (eg. by
executing guest commands, or through some other compromise), then the
compromised appliance will not be able to issue the above SG_IO ioctls
and exploit the host.
Note that this is just mitigation for libguestfs. Users will still
want to fully update their host kernel, qemu/KVM and libvirt, in order
to prevent other (non-libguestfs) routes to compromise.
The following versions of libguestfs (will/have) this patch applied.
libguestfs >= 1.15.13
libguestfs >= 1.14.8
libguestfs >= 1.12.11
libguestfs >= 1.10.12
libguestfs >= 1.8.16
Earlier versions may be vulnerable unless a downstream packager has
applied this patch.
Cc: Hilko Bengen <bengen@hilluzination.de>
|
| |
|
|
|
|
|
| |
Also add this option, if necessary, when testing for virtio-serial
support.
When the workaround is enabled, we specify machine type 'pc'.
|
| | |
|
| |
|
|
| |
This is just code refactoring.
|
| |
|
|
|
|
|
|
|
|
|
| |
We currently use a heuristic to guess how drive names we find
referenced in the guest map to drive names in the appliance. If this
heuristic fails it can cause inspection to fail.
This change adds a new 'name' option to add_drive_opts, which allows
the user to explicitly pass the name of a drive to libguestfs if it is
known. This change also updates the fstab-parsing inspection code to
use this information if it is available.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a NFC on its own, but provides a place-holder for drive metadata which
can be used after launch.
Fixes by RWMJ:
- Fix the tests: this requires a new internal function 'debug-drives'
that dumps out the g->drives information so it can be checked in
two of the tests. Previously these tests used 'debug-cmdline'.
- Test file existence / use_cache_off in the add_drive_opts function,
not when launching qemu in the child process.
- Call free along error paths.
- Add comments.
|
| | |
|
| |
|
|
|
| |
Mainly this is a documentation change. However a sample of
DTrace-compatible userspace probes are also added.
|
| |
|
|
|
|
|
| |
These calls allow you to change the number of virtual CPUs assigned to
the appliance.
This also adds a --smp option to virt-rescue.
|
