Commit Graph

194 Commits

Author SHA1 Message Date
Marek Marczykowski-Górecki
9cbf9a8a59 Add support for 'pci_strictreset' option
This allows to assign PCI device to the VM, even if it doesn't support
proper reset. The default behaviour (when the value is True) is to not
allow such attachment (VM will not start if such device is assigned).

Require libvirt patch for this option.
2015-05-28 00:11:17 +02:00
Marek Marczykowski-Górecki
602155374a dispvm: restore DispVM naming independent of Qubes VM ID (#983)
Using QID for DispVM ID was a bad idea in terms of anonymity:
1. It gives some clue about VMs count in the system. In case of large
numbers, this can be quite unique.
2. If new DispVM is started just after closing previous one, it will get
the same ID, and in consequence the same IP. In case of using TorVM,
this leads to use the same circuit as just closed DispVM.

Fixes qubesos/qubes-issues#983
2015-05-04 00:41:33 +02:00
Marek Marczykowski-Górecki
b985bf3b65 core: fix removing VMs not registered in libvirt
It can happen that VM will not be registered in libvirt (for example
when it was never started). It shouldn't be a problem when we want to
remove it.
2015-05-03 20:26:07 +02:00
Marek Marczykowski-Górecki
6ecc263534 core: use libvirtError instance instead of virConnGetLastError 2015-05-03 20:23:26 +02:00
Marek Marczykowski-Górecki
1a284f18fb core: store dom0 info in qubes.xml
At least to have there info about its backup.

This was already done in commit
dc6fd3c8f3, but later was erroneously
reverted during migration to libvirt.

Fixes qubesos/qubes-issues#958
2015-04-28 15:00:50 +02:00
Marek Marczykowski-Górecki
7652137854 core: make sure that dom0.libvirt_domain isn't used
libvirt do not have domain object for dom0, so do not try to access it.
2015-04-28 15:00:50 +02:00
Marek Marczykowski-Górecki
bbf2ee3a67 core: cleanup_vifs should not fail when no network intf is present
This can happen when initially there was no default netvm, some domain
was started, then default netvm was set and started - then
netvm.connected_vms will contain domains which aren't really connected
there.
Especially this was happening in firstboot.
2015-04-15 12:04:21 +02:00
Marek Marczykowski-Górecki
913cc27023 core: fix QubesVm.clone_attrs - really copy dicts
Otherwise it would point at the same object and for example changing
vm.services[] in one VM will change that also for another. That link
will be severed after reloading the VMs from qubes.xml, but at least in
case of DispVM startup its too late - vm.service['qubes-dvm'] is set for
the DispVM template even during normal startup, not savefile preparation.
2015-04-10 18:32:14 +02:00
Marek Marczykowski-Górecki
1ab4663293 core: reject non-NetVM for vm.netvm and vm.dispvm_netvm 2015-04-06 02:55:26 +02:00
Marek Marczykowski-Górecki
678ccdfaa0 core: fix saving 'dispvm_netvm' attribute 2015-04-06 00:21:08 +02:00
Marek Marczykowski-Górecki
d8533bd061 core: do not reset firewal when setting netvm=none
It is no longer needed as qubesos/qubes-issues#862 is implemented.
2015-04-04 21:48:03 +02:00
Marek Marczykowski-Górecki
7516737fae core: Add "dispvm_netvm" property - NetVM for DispVMs started from a VM
This allows to specify tight network isolation for a VM, and finally
close one remaining way for leaking traffic around TorVM. Now when VM is
connected to for example TorVM, its DispVMs will be also connected
there.
The new property can be set to:
 - default (uses_default_dispvm_netvm=True) - use the same NetVM/ProxyVM as the
 calling VM itself - including none it that's the case
 - None - DispVMs will be network-isolated
 - some NetVM/ProxyVM - will be used, even if calling VM is network-isolated

Closes qubesos/qubes-issues#862
2015-04-04 21:47:31 +02:00
Wojtek Porczyk
19dfe3d390 core: allow '.' in domain name 2015-03-31 20:42:53 +02:00
Marek Marczykowski-Górecki
0b0dbfd1e7 core: default 'include_in_backups' to negative of 'installed_by_rpm'
As we allow to backup template, even if installed by rpm, it makes sense
to not include such templates in backup by default.
2015-03-31 05:49:13 +02:00
Marek Marczykowski-Górecki
5c59067676 core: treat absence of libvirt domain as 'Halted' state
If the domain isn't defined in libvirt, it surely isn't running. This is
needed for DispVM, which compares with exactly this state.
2015-03-30 05:33:13 +02:00
Marek Marczykowski-Górecki
9bfcb72722 core: fix setting the VM autostart (#925)
This is actually workaround for systemd bug reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=1181922

Closes qubesos/qubes-issues#925
2015-03-29 23:48:10 +02:00
Marek Marczykowski-Górecki
2e8624e322 core: add missing import 2015-03-29 23:47:24 +02:00
Marek Marczykowski-Górecki
075f35b873 core: do not assume that libvirt domain is always defined
Define it only when really needed:
 - during VM creation - to generate UUID
 - just before VM startup

As a consequence we must handle possible exception when accessing
vm.libvirt_domain. It would be a good idea to make this field private in
the future. It isn't possible for now because block_* are external for
QubesVm class.

This hopefully fixes race condition when Qubes Manager tries to access
libvirt_domain (using some QubesVm.*) at the same time as other tool is
removing the domain. Additionally if Qubes Manage would loose that race, it could
define the domain again leaving some unused libvirt domain (blocking
that domain name for future use).
2015-03-29 23:38:36 +02:00
Marek Marczykowski-Górecki
bb958fd1c8 core: improve handling dead domains when talking to QubesDB daemon
Provide vm.refresh(), which will force to reconnect do QubesDB daemon,
and also get new libvirt object (including new ID, if any). Use this
method whenever QubesDB call returns DisconnectedError exception. Also
raise that exception when someone is trying to talk to not running
QubesDB - instead of returning None.
2015-03-29 17:22:15 +02:00
Marek Marczykowski-Górecki
124a26ec97 core: do not undefine libvirt domain when not necessary
Libvirt will replace domain XML when trying to define the new one with
the same name and UUID - this is exactly what we need. This fixes race
condition with other processes (especially Qubes Manager), which can try
to access that libvirt domain object at the same time.
2015-03-29 16:31:56 +02:00
Marek Marczykowski-Górecki
1b428f6865 core: fix bogus return value from __init__ 2015-03-29 16:19:50 +02:00
Marek Marczykowski-Górecki
999698bd68 core: rename create_xenstore_entries, get rid of xid parameter
It have nothing to do with xenstore, so change the name to not mislead.
Also get rid of unused "xid" parameter - we should use XID as little as
possible, because it is not a simple task to keep it current.
2015-03-28 22:36:28 +01:00
Marek Marczykowski-Górecki
4dfb629dd8 Update libvirt config syntax for new version of driver domain patches
Finally accepted patches uses different syntax: <backenddomain name=.../> tag
instead of <source domain=.../>.
2015-03-21 21:12:48 +01:00
Marek Marczykowski-Górecki
7463a55f0f dispvm: do not require shmoverride loaded to start gui daemon
This isn't needed anymore because we'll show no window in invisible
mode. This allows to prepare DispVM from firstboot.
2015-03-19 10:30:18 +01:00
Marek Marczykowski-Górecki
69f8d8aecf dispvm: create /qubes-restore-complete qubesdb key
It is used by just started DispVM to notice when restore process
completed. Alternatively it could watch its own domid, but lets do it in
Xen-independent way.
2015-03-04 02:20:24 +01:00
Marek Marczykowski-Górecki
90b76b489d dispvm: start gui-daemon in "invisible mode" when preparing DispVM 2015-03-04 02:19:29 +01:00
Marek Marczykowski-Górecki
2eeea65ce6 core: do not call GUI-related RPC services, when qrexec is not running 2015-03-04 02:18:46 +01:00
Marek Marczykowski-Górecki
7265cb9d0f Merge branch 'dispvm-speedup' into dispvm-speedup3
Conflicts:
	dispvm/qubes-prepare-saved-domain.sh
2015-03-02 03:35:15 +01:00
Marek Marczykowski-Górecki
54a06f3f46 core: add dummy QubesTemplateHVm.commit_changes
It does nothing as root-cow.img isn't used by HVMs (yet), but this
function is required by qvm-template-commit.
2015-02-22 03:53:51 +01:00
Wojtek Porczyk
2b14bc88d0 core/modules: debug important VM changes 2015-02-19 21:32:43 +01:00
Marek Marczykowski-Górecki
246de96dcd core: make vm.rootcow_img a property 2015-02-11 13:59:57 +01:00
Marek Marczykowski-Górecki
cf41d94754 core: implement VM suspend
Required for proper host sleep when netvm is running.
2015-02-10 06:45:47 +01:00
Marek Marczykowski-Górecki
e67e9a4be1 Revert part of "core: remove kernel properties from DispVM and Dom0 (#948)"
This reverts DispVM part of commit 72cf3a8201.
2015-02-09 22:29:23 +01:00
Marek Marczykowski-Górecki
adfc4e0ac9 core: disks handling cleanup, fix them for TemplateHVM
Move rootcow_img to storage class, remove clean_volatile_img. And most
importantly - set source_template in QubesHVm.create_on_disk.
2015-02-09 06:02:20 +01:00
Marek Marczykowski-Górecki
2def43517a core/hvm: handle verbose option for guid 2015-02-09 05:39:44 +01:00
Marek Marczykowski-Górecki
393bb00471 core: update reporting for missing VT-x 2015-02-09 03:46:53 +01:00
Marek Marczykowski-Górecki
869675c15c core: convert memory/cpu stats to libvirt API 2015-02-09 03:28:01 +01:00
Marek Marczykowski-Górecki
4e26588bb3 core/hvm: remove xenstore code
QubesDB does not require setting up directory (and permissions), so just
remove the function.
2015-02-07 01:12:29 +01:00
Marek Marczykowski-Górecki
89f8f219bf core: changes in libvirt config for libvirt-1.2.12 2015-02-05 06:31:00 +01:00
Marek Marczykowski-Górecki
72cf3a8201 core: remove kernel properties from DispVM and Dom0 (#948)
Qubes does not keep track of those kernel versions.

Conflicts:
	core-modules/01QubesDisposableVm.py
2015-01-30 01:40:40 +01:00
Marek Marczykowski-Górecki
49d510dc65 core: prevent permissions error when VM was started by root
When VM is started by root, config file is created with root owner and
user has no write access to it. As the directory is user-writable,
delete the file first.

Conflicts:
	core-modules/000QubesVm.py
2015-01-30 01:39:57 +01:00
Marek Marczykowski-Górecki
52334bc414 core: fix firewall update code
Do not load qubes.xml again, it can cause race conditions between two
instances of the same VM objects.
Especially when VM is starting ProxyVM to which it is connected,
firewall rules could not be loaded.
2015-01-30 01:38:56 +01:00
Marek Marczykowski-Górecki
73301a67c8 core: fix vm.run(..., passio=False) handling
Long time ago passio=True was used to replace current process with
qrexec-client directly (qvm-run --pass-io was the called), but this
behaviour is not used anymore (qvm-run was the only user). And this
option was left untouched, with misleading name - one would assume that
using passio=False should disallow any I/O, but this isn't the case.

Especially qvm-sync-clock is calling clockvm.run('...', wait=True),
default value for passio=False. This causes to output data from
untrusted VM, without sanitising terminal sequences, which can be fatal.

This patch changes passio semantic to actually do what it means - when
set to True - VM process will be able to interact with
stdin/stdout/stderr. But when set to False, all those FDs will be
connected to /dev/null.

Conflicts:
	core-modules/000QubesVm.py
2015-01-30 01:38:52 +01:00
Marek Marczykowski-Górecki
7a3bce6c61 core: fix is_paused method 2014-11-29 02:58:47 +01:00
Marek Marczykowski-Górecki
592a4901c9 core: import monitorlayoutnotify instead of calling it as external script
Otherwise deadlock could happen - the script will try to get read lock
on qubes.xml, while the calling tool can already hold the lock. If that
was write lock (which is in case of qfile-daemon-dvm), the deadlock
occurs.
2014-11-21 21:45:03 +01:00
Marek Marczykowski-Górecki
1df73d31c6 core: xid is no longer local variable here 2014-11-19 12:50:32 +01:00
Marek Marczykowski-Górecki
9205c5c054 core: fix imports 2014-11-19 12:50:32 +01:00
Marek Marczykowski-Górecki
479ac1e42d core: check libvirt error on specific connection
Not global last one.
2014-11-19 12:50:32 +01:00
Rafał Wojdyła
97c793ed16 QubesVm.run(): wait for client to exit on Windows 2014-11-19 12:50:31 +01:00
Marek Marczykowski-Górecki
3ba424e6ac Use VM name as argument to qrexec-client
This is the only place where ID was used - all other places uses name.
Linux qrexec-client accepts both ID and name, but sticking to one option
will simplify things (especially Windows qrexec-client/daemon).
2014-11-19 12:50:31 +01:00