network: avoid trying to create global firewall rules if unprivileged
The unprivileged libvirtd does not have permission to create firewall
rules, or bridge devices, or do anything to the host network in
general. Historically we still activate the network driver though and
let the network start API call fail.
The startup code path which reloads firewall rules on active networks
would thus effectively be a no-op when unprivileged as it is impossible
for there to be any active networks
With the change to use a global set of firewall chains, however, we now
have code that is run unconditionally.
Ideally we would not register the network driver at all when
unprivileged, but the entanglement with the virt drivers currently makes
that impractical. As a temporary hack, we just make the firewall reload
into a no-op.
Signed-off-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit 5d010c3df6152cf5fb00f1f67d22151241f4a8a2)
network: split setup of ipv4 and ipv6 top level chains
During startup libvirtd creates top level chains for both ipv4
and ipv6 protocols. If this fails for any reason then startup
of virtual networks is blocked.
The default virtual network, however, only requires use of ipv4
and some servers have ipv6 disabled so it is expected that ipv6
chain creation will fail. There could equally be servers with
no ipv4, only ipv6.
This patch thus makes error reporting a little more fine grained
so that it works more sensibly when either ipv4 or ipv6 is
disabled on the server. Only the protocols that are actually
used by the virtual network have errors reported.
Reviewed-by: Andrea Bolognani <email address hidden>
Signed-off-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit 686803a1a2e1e0641916b1c9e2c7e3910fe598d4)
network: improve error report when firewall chain creation fails
During startup we create some top level chains in which all
virtual network firewall rules will be placed. The upfront
creation is done to avoid slowing down creation of individual
virtual networks by checking for chain existance every time.
There are some factors which can cause this upfront creation
to fail and while a message will get into the libvirtd log
this won't be seen by users who later try to start a virtual
network. Instead they'll just get a message saying that the
libvirt top level chain does not exist. This message is
accurate, but unhelpful for solving the root cause.
This patch thus saves any error during daemon startup and
reports it when trying to create a virtual network later.
Reviewed-by: Andrea Bolognani <email address hidden>
Signed-off-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit 9f4e35dc73ec9e940aa61bc7c140c2b800218ef3)
The rbd_list method has been deprecated in Ceph >= 14.0.0
in favour of the new rbd_list2 method which populates an
array of structs.
Reviewed-by: Ján Tomko <email address hidden>
Signed-off-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit 3aa190f2a43a632b542a6ba751a6c3ab4d51f1dd)
The rbd_list method has a quite unpleasant signature returning an
array of strings in a single buffer instead of an array. It is
being deprecated in favour of rbd_list2. To maintain clarity of
code when supporting both APIs in parallel, split the rbd_list
code out into a separate method.
In splitting this we now honour the rbd_list failures.
Reviewed-by: Ján Tomko <email address hidden>
Signed-off-by: Daniel P. Berrangé <email address hidden>
(cherry picked from commit 28c8403ed07896d6d7e06d7726ed904027206719)
cc9c141...
by
Daniel Veillard <email address hidden>
Release of libvirt-5.1.0
* docs/news.xml: updated for release
Signed-off-by: Daniel Veillard <email address hidden>
The existing qemu snapshot code has a slight bug: if the domain
is currently pmsuspended, you can't use the _REDEFINE flag even
though the current domain state should have no bearing on being
able to recreate metadata state; and conversely, you can use the
_REDEFINE flag to create snapshot metadata claiming to be
pmsuspended as a bypass to the normal restrictions that you can't
create an original qemu snapshot in that state (the restriction
against pmsuspend is specific to qemu, rather than part of the
driver-agnostic snapshot_conf code).
Fix this by checking the snapshot state (when redefining) instead
of the domain state (which is a subset of snapshot states).
Signed-off-by: Eric Blake <email address hidden>
Reviewed-by: John Ferlan <email address hidden>
5de5432...
by
Jiri Denemark <email address hidden>
storage: Fix iscsi-direct volume size for volumes > 4GiB
Both block_size and nb_block are unit32_t and multiplying them overflows
at 4GiB.
Moreover, the iscsi_*10_* APIs use 32bit number of blocks and thus they
can only address images up to 2TiB with 512B blocks. Let's use 64b
iscsi_*16_* APIs instead.
bf5cf61...
by
Michal Privoznik <email address hidden>
virISCSIDirectRefreshVol: Don't clear volumes in each run
When fetching LUNs from iscsi server the
virISCSIDirectReportLuns() is called. This function does some
libiscsi calls and then calls virISCSIDirectRefreshVol() over
each LUN found. It's unfortunate that the latter calls
virStoragePoolObjClearVols() as we lose all LUNs processed
in previous iterations.
