diff options
| author | Peter Maydell <peter.maydell@linaro.org> | 2020-08-28 18:37:49 +0100 |
|---|---|---|
| committer | Peter Maydell <peter.maydell@linaro.org> | 2020-08-28 18:37:49 +0100 |
| commit | a4e236b7d4badcd7383ed3cb86655e9bba0583cf (patch) | |
| tree | 4e6f6ff37842641ea1670f010eb1f9462042b7e7 | |
| parent | ea1bb830cb021cca2e361091cf728aaabc8c0654 (diff) | |
| parent | fd9279ec9985d9c8a0b533eff24839f93695b0f4 (diff) | |
Merge remote-tracking branch 'remotes/dgilbert/tags/pull-migration-20200828a' into staging
Migration and virtiofsd pull 2020-08-28
Migration:
vsock support for migration
minor fixes
virtiofsd:
Disable remote posix locks by default - because we
never supported blocking variants and this breaks things
Some prep work for un/less priviliged modes
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
# gpg: Signature made Fri 28 Aug 2020 13:43:18 BST
# gpg: using RSA key 45F5C71B4A0CB7FB977A9FA90516331EBC5BFDE7
# gpg: Good signature from "Dr. David Alan Gilbert (RH2) <dgilbert@redhat.com>" [full]
# Primary key fingerprint: 45F5 C71B 4A0C B7FB 977A 9FA9 0516 331E BC5B FDE7
* remotes/dgilbert/tags/pull-migration-20200828a:
virtiofsd: probe unshare(CLONE_FS) and print an error
virtiofsd: drop CAP_DAC_READ_SEARCH
virtiofsd: Remove "norace" from cmdline help and docs
virtiofsd: Disable remote posix locks by default
migration: tls: fix memory leak in migration_tls_get_creds
migration: improve error reporting of block driver state name
migration: add vsock as data channel support
migration: unify the framework of socket-type channel
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
| -rw-r--r-- | docs/tools/virtiofsd.rst | 5 | ||||
| -rw-r--r-- | migration/migration.c | 20 | ||||
| -rw-r--r-- | migration/savevm.c | 12 | ||||
| -rw-r--r-- | migration/socket.c | 72 | ||||
| -rw-r--r-- | migration/socket.h | 11 | ||||
| -rw-r--r-- | migration/tls.c | 1 | ||||
| -rw-r--r-- | tests/qemu-iotests/267.out | 4 | ||||
| -rw-r--r-- | tools/virtiofsd/fuse_virtio.c | 16 | ||||
| -rw-r--r-- | tools/virtiofsd/helper.c | 2 | ||||
| -rw-r--r-- | tools/virtiofsd/passthrough_ll.c | 3 |
10 files changed, 54 insertions, 92 deletions
diff --git a/docs/tools/virtiofsd.rst b/docs/tools/virtiofsd.rst index 824e713491..e33c81ed41 100644 --- a/docs/tools/virtiofsd.rst +++ b/docs/tools/virtiofsd.rst @@ -63,11 +63,8 @@ Options Print only log messages matching LEVEL or more severe. LEVEL is one of ``err``, ``warn``, ``info``, or ``debug``. The default is ``info``. - * norace - - Disable racy fallback. The default is false. - * posix_lock|no_posix_lock - - Enable/disable remote POSIX locks. The default is ``posix_lock``. + Enable/disable remote POSIX locks. The default is ``no_posix_lock``. * readdirplus|no_readdirplus - Enable/disable readdirplus. The default is ``readdirplus``. diff --git a/migration/migration.c b/migration/migration.c index dbd4afa1e8..58a5452471 100644 --- a/migration/migration.c +++ b/migration/migration.c @@ -378,21 +378,21 @@ void migrate_add_address(SocketAddress *address) void qemu_start_incoming_migration(const char *uri, Error **errp) { - const char *p; + const char *p = NULL; qapi_event_send_migration(MIGRATION_STATUS_SETUP); if (!strcmp(uri, "defer")) { deferred_incoming_migration(errp); - } else if (strstart(uri, "tcp:", &p)) { - tcp_start_incoming_migration(p, errp); + } else if (strstart(uri, "tcp:", &p) || + strstart(uri, "unix:", NULL) || + strstart(uri, "vsock:", NULL)) { + socket_start_incoming_migration(p ? p : uri, errp); #ifdef CONFIG_RDMA } else if (strstart(uri, "rdma:", &p)) { rdma_start_incoming_migration(p, errp); #endif } else if (strstart(uri, "exec:", &p)) { exec_start_incoming_migration(p, errp); - } else if (strstart(uri, "unix:", &p)) { - unix_start_incoming_migration(p, errp); } else if (strstart(uri, "fd:", &p)) { fd_start_incoming_migration(p, errp); } else { @@ -2094,7 +2094,7 @@ void qmp_migrate(const char *uri, bool has_blk, bool blk, { Error *local_err = NULL; MigrationState *s = migrate_get_current(); - const char *p; + const char *p = NULL; if (!migrate_prepare(s, has_blk && blk, has_inc && inc, has_resume && resume, errp)) { @@ -2102,16 +2102,16 @@ void qmp_migrate(const char *uri, bool has_blk, bool blk, return; } - if (strstart(uri, "tcp:", &p)) { - tcp_start_outgoing_migration(s, p, &local_err); + if (strstart(uri, "tcp:", &p) || + strstart(uri, "unix:", NULL) || + strstart(uri, "vsock:", NULL)) { + socket_start_outgoing_migration(s, p ? p : uri, &local_err); #ifdef CONFIG_RDMA } else if (strstart(uri, "rdma:", &p)) { rdma_start_outgoing_migration(s, p, &local_err); #endif } else if (strstart(uri, "exec:", &p)) { exec_start_outgoing_migration(s, p, &local_err); - } else if (strstart(uri, "unix:", &p)) { - unix_start_outgoing_migration(s, p, &local_err); } else if (strstart(uri, "fd:", &p)) { fd_start_outgoing_migration(s, p, &local_err); } else { diff --git a/migration/savevm.c b/migration/savevm.c index a843d202b5..304d98ff78 100644 --- a/migration/savevm.c +++ b/migration/savevm.c @@ -2682,7 +2682,7 @@ int save_snapshot(const char *name, Error **errp) if (!bdrv_all_can_snapshot(&bs)) { error_setg(errp, "Device '%s' is writable but does not support " - "snapshots", bdrv_get_device_name(bs)); + "snapshots", bdrv_get_device_or_node_name(bs)); return ret; } @@ -2691,7 +2691,7 @@ int save_snapshot(const char *name, Error **errp) ret = bdrv_all_delete_snapshot(name, &bs1, errp); if (ret < 0) { error_prepend(errp, "Error while deleting snapshot on device " - "'%s': ", bdrv_get_device_name(bs1)); + "'%s': ", bdrv_get_device_or_node_name(bs1)); return ret; } } @@ -2766,7 +2766,7 @@ int save_snapshot(const char *name, Error **errp) ret = bdrv_all_create_snapshot(sn, bs, vm_state_size, &bs); if (ret < 0) { error_setg(errp, "Error while creating snapshot on '%s'", - bdrv_get_device_name(bs)); + bdrv_get_device_or_node_name(bs)); goto the_end; } @@ -2884,14 +2884,14 @@ int load_snapshot(const char *name, Error **errp) if (!bdrv_all_can_snapshot(&bs)) { error_setg(errp, "Device '%s' is writable but does not support snapshots", - bdrv_get_device_name(bs)); + bdrv_get_device_or_node_name(bs)); return -ENOTSUP; } ret = bdrv_all_find_snapshot(name, &bs); if (ret < 0) { error_setg(errp, "Device '%s' does not have the requested snapshot '%s'", - bdrv_get_device_name(bs), name); + bdrv_get_device_or_node_name(bs), name); return ret; } @@ -2920,7 +2920,7 @@ int load_snapshot(const char *name, Error **errp) ret = bdrv_all_goto_snapshot(name, &bs, errp); if (ret < 0) { error_prepend(errp, "Could not load snapshot '%s' on '%s': ", - name, bdrv_get_device_name(bs)); + name, bdrv_get_device_or_node_name(bs)); goto err_drain; } diff --git a/migration/socket.c b/migration/socket.c index 97c9efde59..6016642e04 100644 --- a/migration/socket.c +++ b/migration/socket.c @@ -50,34 +50,6 @@ int socket_send_channel_destroy(QIOChannel *send) return 0; } -static SocketAddress *tcp_build_address(const char *host_port, Error **errp) -{ - SocketAddress *saddr; - - saddr = g_new0(SocketAddress, 1); - saddr->type = SOCKET_ADDRESS_TYPE_INET; - - if (inet_parse(&saddr->u.inet, host_port, errp)) { - qapi_free_SocketAddress(saddr); - return NULL; - } - - return saddr; -} - - -static SocketAddress *unix_build_address(const char *path) -{ - SocketAddress *saddr; - - saddr = g_new0(SocketAddress, 1); - saddr->type = SOCKET_ADDRESS_TYPE_UNIX; - saddr->u.q_unix.path = g_strdup(path); - - return saddr; -} - - struct SocketConnectData { MigrationState *s; char *hostname; @@ -109,9 +81,10 @@ static void socket_outgoing_migration(QIOTask *task, object_unref(OBJECT(sioc)); } -static void socket_start_outgoing_migration(MigrationState *s, - SocketAddress *saddr, - Error **errp) +static void +socket_start_outgoing_migration_internal(MigrationState *s, + SocketAddress *saddr, + Error **errp) { QIOChannelSocket *sioc = qio_channel_socket_new(); struct SocketConnectData *data = g_new0(struct SocketConnectData, 1); @@ -135,27 +108,18 @@ static void socket_start_outgoing_migration(MigrationState *s, NULL); } -void tcp_start_outgoing_migration(MigrationState *s, - const char *host_port, - Error **errp) +void socket_start_outgoing_migration(MigrationState *s, + const char *str, + Error **errp) { Error *err = NULL; - SocketAddress *saddr = tcp_build_address(host_port, &err); + SocketAddress *saddr = socket_parse(str, &err); if (!err) { - socket_start_outgoing_migration(s, saddr, &err); + socket_start_outgoing_migration_internal(s, saddr, &err); } error_propagate(errp, err); } -void unix_start_outgoing_migration(MigrationState *s, - const char *path, - Error **errp) -{ - SocketAddress *saddr = unix_build_address(path); - socket_start_outgoing_migration(s, saddr, errp); -} - - static void socket_accept_incoming_migration(QIONetListener *listener, QIOChannelSocket *cioc, gpointer opaque) @@ -173,8 +137,9 @@ static void socket_accept_incoming_migration(QIONetListener *listener, } -static void socket_start_incoming_migration(SocketAddress *saddr, - Error **errp) +static void +socket_start_incoming_migration_internal(SocketAddress *saddr, + Error **errp) { QIONetListener *listener = qio_net_listener_new(); size_t i; @@ -207,20 +172,13 @@ static void socket_start_incoming_migration(SocketAddress *saddr, } } -void tcp_start_incoming_migration(const char *host_port, Error **errp) +void socket_start_incoming_migration(const char *str, Error **errp) { Error *err = NULL; - SocketAddress *saddr = tcp_build_address(host_port, &err); + SocketAddress *saddr = socket_parse(str, &err); if (!err) { - socket_start_incoming_migration(saddr, &err); + socket_start_incoming_migration_internal(saddr, &err); } qapi_free_SocketAddress(saddr); error_propagate(errp, err); } - -void unix_start_incoming_migration(const char *path, Error **errp) -{ - SocketAddress *saddr = unix_build_address(path); - socket_start_incoming_migration(saddr, errp); - qapi_free_SocketAddress(saddr); -} diff --git a/migration/socket.h b/migration/socket.h index 528c3b0202..891dbccceb 100644 --- a/migration/socket.h +++ b/migration/socket.h @@ -23,13 +23,8 @@ void socket_send_channel_create(QIOTaskFunc f, void *data); int socket_send_channel_destroy(QIOChannel *send); -void tcp_start_incoming_migration(const char *host_port, Error **errp); +void socket_start_incoming_migration(const char *str, Error **errp); -void tcp_start_outgoing_migration(MigrationState *s, const char *host_port, - Error **errp); - -void unix_start_incoming_migration(const char *path, Error **errp); - -void unix_start_outgoing_migration(MigrationState *s, const char *path, - Error **errp); +void socket_start_outgoing_migration(MigrationState *s, const char *str, + Error **errp); #endif diff --git a/migration/tls.c b/migration/tls.c index 5171afc6c4..7a02ec8656 100644 --- a/migration/tls.c +++ b/migration/tls.c @@ -58,7 +58,6 @@ migration_tls_get_creds(MigrationState *s, return NULL; } - object_ref(OBJECT(ret)); return ret; } diff --git a/tests/qemu-iotests/267.out b/tests/qemu-iotests/267.out index d6d80c099f..215902b3ad 100644 --- a/tests/qemu-iotests/267.out +++ b/tests/qemu-iotests/267.out @@ -81,11 +81,11 @@ Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 Testing: -blockdev driver=file,filename=TEST_DIR/t.IMGFMT,node-name=file QEMU X.Y.Z monitor - type 'help' for more information (qemu) savevm snap0 -Error: Device '' is writable but does not support snapshots +Error: Device 'file' is writable but does not support snapshots (qemu) info snapshots No available block device supports snapshots (qemu) loadvm snap0 -Error: Device '' is writable but does not support snapshots +Error: Device 'file' is writable but does not support snapshots (qemu) quit Formatting 'TEST_DIR/t.IMGFMT', fmt=IMGFMT size=134217728 diff --git a/tools/virtiofsd/fuse_virtio.c b/tools/virtiofsd/fuse_virtio.c index 3b6d16a041..9e5537506c 100644 --- a/tools/virtiofsd/fuse_virtio.c +++ b/tools/virtiofsd/fuse_virtio.c @@ -949,6 +949,22 @@ int virtio_session_mount(struct fuse_session *se) { int ret; + /* + * Test that unshare(CLONE_FS) works. fv_queue_worker() will need it. It's + * an unprivileged system call but some Docker/Moby versions are known to + * reject it via seccomp when CAP_SYS_ADMIN is not given. + * + * Note that the program is single-threaded here so this syscall has no + * visible effect and is safe to make. + */ + ret = unshare(CLONE_FS); + if (ret == -1 && errno == EPERM) { + fuse_log(FUSE_LOG_ERR, "unshare(CLONE_FS) failed with EPERM. If " + "running in a container please check that the container " + "runtime seccomp policy allows unshare.\n"); + return -1; + } + ret = fv_create_listen_socket(se); if (ret < 0) { return ret; diff --git a/tools/virtiofsd/helper.c b/tools/virtiofsd/helper.c index 3105b6c23a..7bc5d7dc5a 100644 --- a/tools/virtiofsd/helper.c +++ b/tools/virtiofsd/helper.c @@ -159,8 +159,6 @@ void fuse_cmdline_help(void) " -o max_idle_threads the maximum number of idle worker " "threads\n" " allowed (default: 10)\n" - " -o norace disable racy fallback\n" - " default: false\n" " -o posix_lock|no_posix_lock\n" " enable/disable remote posix lock\n" " default: posix_lock\n" diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c index 63d1d00565..784330e0e4 100644 --- a/tools/virtiofsd/passthrough_ll.c +++ b/tools/virtiofsd/passthrough_ll.c @@ -2596,7 +2596,6 @@ static void setup_capabilities(char *modcaps_in) if (capng_updatev(CAPNG_ADD, CAPNG_PERMITTED | CAPNG_EFFECTIVE, CAP_CHOWN, CAP_DAC_OVERRIDE, - CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_SETGID, @@ -2823,7 +2822,7 @@ int main(int argc, char *argv[]) struct lo_data lo = { .debug = 0, .writeback = 0, - .posix_lock = 1, + .posix_lock = 0, .proc_self_fd = -1, }; struct lo_map_elem *root_elem; |