Commits on Oct 4, 2012
  1. Correct checking of virStrcpyStatic() return value

    mestery committed with Laine Stump Oct 3, 2012
    Correct the check for the return value of virStrcpyStatic()
    when copying port-profile names. Fixes Open vSwitch ports
    which utilize port-profiles from network definitions.
    Signed-off-by: Kyle Mestery <>
Commits on Oct 3, 2012
  1. docs: rudimentary phyp documentation

    ebblake committed Sep 27, 2012
    Based on a report that phyp is undocumented:
    * docs/ (phyp): New file.
    * docs/ List it.
  2. build: update gnulib for FreeBSD build

    ebblake committed Oct 2, 2012
    Several gnulib tests were failing 'make check', and compilation with
    CFLAGS=-g failed due to a gcc 4.2.1 limitation.
    * .gnulib: Update to latest, for gcc 4.2 support and fixed FreeBSD tests.
  3. doc: update description about security labels on formatdomain.html

    Marcelo Cerri committed with pipo Oct 2, 2012
    This patch adds a brief description about labels for each security
  4. security: also parse user/group names instead of just IDs for DAC labels

    Marcelo Cerri committed with pipo Oct 2, 2012
    The DAC driver is missing parsing of group and user names for DAC labels
    and currently just parses uid and gid. This patch extends it to support
    names, so the following security label definition is now valid:
      <seclabel type='static' model='dac' relabel='yes'>
    When it tries to parse an owner or a group, it first tries to resolve it as
    a name, if it fails or it's an invalid user/group name then it tries to
    parse it as an UID or GID. A leading '+' can also be used for both owner and
    group to force it to be parsed as IDs, so the following example is also
      <seclabel type='static' model='dac' relabel='yes'>
    This ensures that UID 101 and GUI 101 will be used instead of an user or
    group named "101".
Commits on Oct 2, 2012
  1. build: avoid -Wno-format on new-enough gcc

    ebblake committed Oct 2, 2012
    Commit c579d6b added a sledgehammer to silence spurious warnings from
    gcc 4.2, but in the process, it also silenced useful warnings from
    gcc 4.3 through 4.5.  As a result, a bug slipped in to commit 0caccb5.
    Tested with FreeBSD (gcc 4.2.1), RHEL 6.3 (gcc 4.4), and F17 (gcc 4.7.2),
    where the former didn't trip on spurious warnings, and where the latter
    two detected a revert of 2b804cf.
    * m4/virt-compile-warnings.m4 (-Wno-format): Probe for the actual
    spurious message, to once again allow gcc 4.4 to use -Wformat.
  2. build: fix typo in debug message

    ebblake committed Oct 2, 2012
    Introduced in commit 0caccb5.
      CC     libvirt_driver_qemu_impl_la-qemu_capabilities.lo
    ../../src/qemu/qemu_capabilities.c: In function 'qemuCapsInitQMP':
    ../../src/qemu/qemu_capabilities.c:2327:13: error: format '%d' expects argument of type 'int', but argument 8 has type 'const char *' [-Werror=format]
    * src/qemu/qemu_capabilities.c (qemuCapsInitQMP): Use correct format.
  3. qemu: Kill processes used for QMP caps probing

    jirkade committed Oct 2, 2012
    Since libvirt switched to QMP capabilities probing recently, it starts
    QEMU process used for this probing with -daemonize, which means
    virCommandAbort can no longer reach these processes. As a result of
    that, restarting libvirtd will leave several new QEMU processes behind.
    Let's use QEMU's -pidfile and use it to kill the process when QMP caps
    probing is done.
  4. qemu: Use proper agent entering function when freezing filesystems

    pipo committed Oct 1, 2012
    When doing snapshots, the filesystem freeze function used the agent
    entering function that expects the qemud_driver unlocked. This might
    cause a deadlock of the qemu driver if the agent does not respond.
    The only call path of this function has the qemud_driver locked, so this
    patch changes the entering functions to those expecting the driver
  5. lxc: Correctly report active cgroups

    zippy2 committed Oct 1, 2012
    There was an inverted return value in lxcCgroupControllerActive().
    The function assumes cgroups are active and do couple of checks
    to prove that. If any of them fails, false is returned. Therefore,
    at the end, after all checks are done we must return true, not false.
Commits on Oct 1, 2012
  1. build: avoid journald on rhel 5

    ebblake committed Oct 1, 2012
    Commit f643039 broke builds on RHEL 5, where glibc (2.5) is too
    old to support mkostemp (2.7) or htole64 (2.9).  While gnulib
    has mkostemp, it still lacks htole64; and it's not worth dragging
    in replacements on systems where journald is unlikely to exist
    in the first place, so we just use an extra configure-time check
    as our witness of whether to attempt compiling the code.
    * src/util/logging.c (virLogParseOutputs): Don't attempt to
    compile journald on older glibc.
    * (AC_CHECK_DECLS): Check for htole64.
  2. build: fix bitmap conversion when !CPU_ALLOC

    ebblake committed Oct 1, 2012
    Commit f1a43a8 missed one side of an #if/#else.
    * src/util/processinfo.c (virProcessInfoGetAffinity): Use correct
    bitmap operation.
  3. Add note about numeric domain names to manpage

    READ10 committed with ebblake Oct 1, 2012
    Clarify that domains with numeric names can only be identified by
    their domain id.
  4. build: avoid infinite autogen loop

    ebblake committed Oct 1, 2012
    Several people have reported that if the .gnulib submodule is dirty,
    then 'make' will go into an infinite loop attempting to rerun bootstrap,
    because that never cleans up the dirty submodule.  By default, we
    should halt and make the user investigate, but if the user doesn't
    know why or care that the submodule is dirty, I also added the ability
    to 'make CLEAN_SUBMODULE=1' to get things going again.
    Also, while testing this, I noticed that when a submodule update was
    needed, 'make' would first run autoreconf, then bootstrap (which
    reruns autoreconf); adding a strategic dependency allows for less work.
    * .gnulib: Update to latest, for improvements.
    * (_autogen): Also hook, to run before autoreconf.
    * (bootstrap): Refuse to run if gnulib is dirty, unless
    user requests discarding gnulib changes.
Commits on Sep 29, 2012
  1. hyperv: Fix and improve hypervListAllDomains

    photron committed Sep 9, 2012
    Use MATCH for all flags checks.
    hypervMsvmComputerSystemToDomain expects the domain pointer to the
    initialized to NULL.
    All items in doms up to the count-th one are valid, no need to double
    check before freeing them.
  2. esx: Fix and improve esxListAllDomains function

    photron committed Sep 9, 2012
    Avoid requesting information such as identity or power state when it
    is not necessary.
    Lookup virtual machine list with the required fields (configStatus,
    name, and config.uuid) to make esxVI_GetVirtualMachineIdentity work.
    No need to call esxVI_GetNumberOfSnapshotTrees. rootSnapshotTreeList
    can be tested for emptiness by checking it for NULL.
    esxVI_LookupRootSnapshotTreeList already does the error reporting,
    don't overwrite it.
    Check if autostart is enabled at all before looking up the individual
    autostart setting of a virtual machine.
    Reorder VIR_EXPAND_N(doms, ndoms, 1) to avoid leaking the result of
    the call to virGetDomain if VIR_EXPAND_N fails.
    Replace VIR_EXPAND_N by VIR_RESIZE_N to avoid quadratic scaling, as in
    the Hyper-V version of the function.
    If virGetDomain fails it already reports an error, don't overwrite it
    with an OOM error.
    All items in doms up to the count-th one are valid, no need to double
    check before freeing them.
    Finally, don't leak autoStartDefaults and powerInfoList.
Commits on Sep 28, 2012
  1. build: default selinuxfs mount point to /sys/fs/selinux

    rhatdan committed with ebblake Sep 28, 2012
    Currently if you build on a machine that does not support SELinux we end up
    with the default mount point being /selinux, since this is moved to
    /sys/fs/selinux, we should start defaulting there.
    I believe this is causing a bug in libvirt-lxc when /selinux does not exists,
    even though /sys/fs/selinux exists.
  2. Add support for detecting capablities using QMP commands

    berrange committed Aug 22, 2012
    Start a QEMU process using
       $QEMU -S -no-user-config -nodefaults \
             -nographic -M none -qmp unix:/some/path,server,nowait
    and talk QMP over stdio to discover what capabilities the
    binary supports. This works for QEMU 1.2.0 or later and
    for older QEMU automatically fallback to the old approach
    of parsing -help and related command line args.
    Signed-off-by: Daniel P. Berrange <>
  3. Ignore error from query-cpu-definitions

    berrange committed Sep 28, 2012
    Some architectures provide the query-cpu-definitions command,
    but are set to always return a "GenericError" from it :-(
    Catch this & treat it as if there was an empty list of CPUs
    Signed-off-by: Daniel P. Berrange <>
  4. Avoid bogus I/O event errors when closing the QEMU monitor

    berrange committed Sep 28, 2012
    After calling qemuMonitorClose(), it is still possible for
    the QEMU monitor I/O event callback to get invoked. This
    will trigger an error message because mon->fd has been set
    to -1 at this point. Silently ignore the case where mon->fd
    is -1, likewise for mon->watch being zero.
    Signed-off-by: Daniel P. Berrange <>
  5. Remove need to pass in a virDomainObjPtr instance to qemuMonitorOpen

    berrange committed Sep 28, 2012
    The qemuMonitorOpen method only needs a virDomainObjPtr in order
    to access the QEMU pid. This is not critical when detecting the
    QEMU capabilties, so can easily be skipped
    Signed-off-by: Daniel P. Berrange <>
  6. Fix QEMU test with 1.2.0 help output

    berrange committed Sep 28, 2012
    The help output for QEMU 1.2.0 changed 'pci-assign' to 'kvm-pci-assign'.
    Since the new capabilities code does exact device name matching
    instead of substring matching, this caused the capabilities to go
    Signed-off-by: Daniel P. Berrange <>
  7. ARMHF: implement /proc/cpuinfo parsing

    zulcss committed with ebblake Jul 26, 2012
    Minimal CPU "parser" for armhf to avoid compile time warning.
    Signed-off-by: Chuck Short <>
  8. Automatically enable systemd journal logging

    berrange committed Sep 27, 2012
    Probe to see if the systemd journal is accessible, and if
    so enable logging to the journal by default, rather than
    stderr (current default under systemd).
    Signed-off-by: Daniel P. Berrange <>
  9. Add systemd journal support

    berrange committed Sep 25, 2012
    Add support for logging to the systemd journal, using its
    simple client library. The benefit over syslog is that it
    accepts structured log data, so the journald can store
    individual items like code file/line/func separately from
    the string message. Tools which require structured log
    data can then query the journal to extract exactly what
    they desire without resorting to string parsing
    While systemd provides a simple client library for logging,
    it is more convenient for libvirt to directly write its
    own client code. This lets us build up the iovec's on
    the stack, avoiding the need to alloc memory when writing
    log messages.
    Signed-off-by: Daniel P. Berrange <>
  10. Refactor qemuCapsParseDeviceStr to work from data tables

    berrange committed Sep 13, 2012
    Currently the qemuCapsParseDeviceStr method has a bunch of open
    coded string searches/comparisons to detect devices and their
    properties. Soon this data will be obtained from QMP queries
    instead of -device help output. Maintaining the list of device
    and properties in two places is undesirable. Thus the existing
    qemuCapsParseDeviceStr() method needs to be refactored to
    separate the device types and properties from the actual
    search code.
    Thus the -device help output is now parsed to construct a
    list of device names, and device properties. These are then
    checked against a set of datatables to set the capability
    Signed-off-by: Daniel P. Berrange <>
  11. Don't initialize logging twice in libvirtd

    berrange committed Sep 27, 2012
    The virInitialize function initializes logging from the env,
    so there is no need for another call to virLogSetFromEnv
    Signed-off-by: Daniel P. Berrange <>
  12. Change logging category parameter into an enum

    berrange committed Sep 27, 2012
    The 'const char *category' parameter only has a few possible
    values now that the filename has been separated. Turn this
    parameter into an enum instead.
    Signed-off-by: Daniel P. Berrange <>
  13. Include filename explicitly in logging APIs

    berrange committed Sep 27, 2012
    Currently the logging APIs have a 'const char *category' parameter
    which indicates where the log message comes from. This is typically
    a combination of the __FILE__ string and other prefix. Split the
    __FILE__ off into a dedicated parameter so it can passed to the
    log outputs
    Signed-off-by: Daniel P. Berrange <>
  14. Whitespace cleanup in logging files

    berrange committed Sep 27, 2012
    General whitespace cleanup in the logging files
     - Move '{' to a new line after funtion declaration
     - Put each parameter on a new line to avoid long lines
     - Put return type on new line
     - Leave 2 blank lines between functions
    Signed-off-by: Daniel P. Berrange <>
  15. s/int/virLogDestination/ in logging code

    berrange committed Sep 27, 2012
    The log destinations are an enum, but most of the code was
    just using a plain 'int' for function params / variables.
    Signed-off-by: Daniel P. Berrange <>
  16. s/long long/size_t/ for file line numbers in logging code

    berrange committed Sep 27, 2012
    The __LINE__ macro value is specified to fit in the size_t
    type, so use that instead of 'long long' in the logging code
    Signed-off-by: Daniel P. Berrange <>
  17. s/int/virLogPriority/ in logging code

    berrange committed Sep 27, 2012
    The log priority levels are an enum, but most of the code was
    just using a plain 'int' for function params / variables.
    Signed-off-by: Daniel P. Berrange <>
  18. python: return error if PyObject obj is NULL for unwrapper helper fun…

    Guannan Ren committed Sep 26, 2012
    The result is indeterminate for NULL argument to python
    functions as follows. It's better to return negative value in
    these situations.
    PyObject_IsTrue will segfault if the argument is NULL
    PyFloat_AsDouble(NULL) is -1.000000
    PyLong_AsUnsignedLongLong(NULL) is 0.000000
Commits on Sep 27, 2012
  1. network: fix dnsmasq/radvd binding to IPv6 on recent kernels

    Benjamin Cama committed with ebblake Sep 26, 2012
    I hit this problem recently when trying to create a bridge with an IPv6
    address on a 3.2 kernel: dnsmasq (and, further, radvd) would not bind to
    the given address, waiting 20s and then giving up with -EADDRNOTAVAIL
    (resp. exiting immediately with "error parsing or activating the config
    file", without libvirt noticing it, BTW). This can be reproduced with (I
    think) any kernel >= 2.6.39 and the following XML (to be used with
    "virsh net-create"):
              <bridge name='testbr0' />
              <ip family='ipv6' address='fd00::1' prefix='64'>
    (it happens even when you have an IPv4, too)
    The problem is that since commit [1] (which, ironically, was made to
    “help IPv6 autoconfiguration”) the linux bridge code makes bridges
    behave like “real” devices regarding carrier detection. This makes the
    bridges created by libvirt, which are started without any up devices,
    stay with the NO-CARRIER flag set, and thus prevents DAD (Duplicate
    address detection) from happening, thus letting the IPv6 address flagged
    as “tentative”. Such addresses cannot be bound to (see RFC 2462), so
    dnsmasq fails binding to it (for radvd, it detects that "interface XXX
    is not RUNNING", thus that "interface XXX does not exist, ignoring the
    interface" (sic)). It seems that this behavior was enhanced somehow with
    commit [2] by avoiding setting NO-CARRIER on empty bridges, but I
    couldn't reproduce this behavior on my kernel. Anyway, with the “dummy
    tap to set MAC address” trick, this wouldn't work.
    To fix this, the idea is to get the bridge's attached device to be up so
    that DAD can happen (deactivating DAD altogether is not a good idea, I
    think). Currently, libvirt creates a dummy TAP device to set the MAC
    address of the bridge, keeping it down. But even if we set this device
    up, it is not RUNNING as soon as the tap file descriptor attached to it
    is closed, thus still preventing DAD. So, we must modify the API a bit,
    so that we can get the fd, keep the tap device persistent, run the
    daemons, and close it after DAD has taken place. After that, the bridge
    will be flagged NO-CARRIER again, but the daemons will be running, even
    if not happy about the device's state (but we don't really care about
    the bridge's daemons doing anything when no up interface is connected to
    Other solutions that I envisioned were:
          * Keeping the *-nic interface up: this would waste an fd for each
            bridge during all its life. May be acceptable, I don't really
          * Stop using the dummy tap trick, and set the MAC address directly
            on the bridge: it is possible since quite some time it seems,
            even if then there is the problem of the bridge not being
            RUNNING when empty, contrary to what [2] says, so this will need
            fixing (and this fix only happened in 3.1, so it wouldn't work
            for 2.6.39)
          * Using the --interface option of dnsmasq, but I saw somewhere
            that it's not used by libvirt for backward compatibility. I am
            not sure this would solve this problem, though, as I don't know
            how dnsmasq binds itself to it with this option.
    This is why this patch does what's described earlier.
    This patch also makes radvd start even if the interface is
    “missing” (i.e. it is not RUNNING), as it daemonizes before binding to
    it, and thus sometimes does it after the interface has been brought down
    by us (by closing the tap fd), and then originally stops. This also
    makes it stop yelling about it in the logs when the interface is down at
    a later time.