If the x509verify option is requested, the VNC websockets server
was failing to validate that the websockets client provided an
x509 certificate matching the ACL rules.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
The previous change to the auth scheme handling guarantees we
can never have nested TLS sessions in the VNC websockets server.
Thus we can remove the separate gnutls_session instance.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
When TLS is required, the primary VNC server considers it to be
mandatory. ie the server admin decides whether or not TLS is used,
and the client has to comply with this decision. The websockets
server, however, treated it as optional, allowing non-TLS clients
to connect to a server which had setup TLS. Thus enabling websockets
lowers the security of the VNC server leaving the admin no way to
enforce use of TLS.
This removes the code that allows non-TLS fallback in the websockets
server, so that if TLS is requested for VNC it is now mandatory for
both the primary VNC server and the websockets VNC server.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
The way the websockets TLS code was integrated into the VNC server
made it essentially useless. The only time that the websockets TLS
support could be used is if the primary VNC server had its existing
TLS support disabled. ie QEMU had to be launched with:
# qemu -vnc localhost:1,websockets=5902,x509=/path/to/certs
Note the absence of the 'tls' flag. This is already a bug, because
the docs indicate that 'x509' is ignored unless 'tls' is given.
If the primary VNC server had TLS turned on via the 'tls' flag,
then this prevented the websockets TLS support from being used,
because it activates the VeNCrypt auth which would have resulted
in TLS being run over a TLS session. Of course no websockets VNC
client supported VeNCrypt so in practice, since the browser clients
cannot setup a nested TLS session over the main HTTPS connection,
so it would not even get past auth.
This patch causes us to decide our auth scheme separately for the
main VNC server vs the websockets VNC server. We take account of
the fact that if TLS is enabled, then the websockets client will
use https, so setting up VeNCrypt is thus redundant as it would
lead to nested TLS sessions.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
The vnc_display_open method is quite long and complex, so
move the VNC auth scheme decision logic into a separate
method for clarity.
Also update the comment to better describe what we are
trying to achieve.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
If the VNC server is built without tls, sasl or websocket support
and the user requests one of these features, they are just silently
ignored. This is bad because it means the VNC server ends up running
in a configuration that is less secure than the user asked for.
It also leads to an tangled mass of preprocessor conditionals when
configuring the VNC server.
This ensures that the tls, sasl & websocket options are always
processed and an error is reported back to the user if any of
them were disabled at build time.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Handling of VNC audio messages results in printfs to the console.
This is of no use to anyone in production, so should be using the
normal VNC_DEBUG macro instead.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCAAGBQJVCDhaAAoJEPSH7xhYctcjCmUP/2OdZOznik2BwE+RXYjj+TGn
YFaN7G7kwCmbxjrbZgq89QW+lmqUlf5K8L6t4v8oOt4NDGslgKiibYJRekRIbWKm
G2xiThCQJFLX+62EJ90nSjAERAGvMF5m/w80nUsXba7f5Ryx19qz/fOqrBcipo5w
y9pcJ1kGw/bPXB8Enedb6veREgHOOZHAirTVzsRoy7OD0kQsTYIxsjXlk0cYO7FK
vcmMr/E3ahzMge8XdLFYHVaMDCf8DTNjLPl0ZeuQt+IS6PP5uEPTQ8hVllT0FeSr
SzCXOrWU2GJB9SbSK6S0sg1DzZIc6+eXYV2djDKdj4AjHRvVuZ+L9L5OErNh3zsE
RY7ArWQpkrCfCB9xGT0Iud/cKbgiF23V6+Zy6lrzruoQcvw7Dtj90CwXdLEFsTP3
O0XMpkDCXnNjsuexj9DmyXcMs/1EJHUeYentoo3dj7YP2Dlxd2Zz5PEkE4BoYFa9
n7dOpW/Gf+53Axx7ob0+aWcRUAskAc2FTuc4G16YTmMsnx3Jxpn7fwDcZKinHBtE
WvgrEc9CCT+7tniXL9biRaETN1sr2fN5ZLgol2JymmXNvrXJNGiwQNUI3wWI/X4P
atJcXLfUmR7yTBG5FM6kzl8jSV78MuKqSnxO02eF3GRW90lV4w/jc873W6gbv5Qj
hAZtEkRB+5dgCl7iCAXk
=baFB
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/juanquintela/tags/migration/20150317' into staging
migration/next for 20150317
# gpg: Signature made Tue Mar 17 14:21:14 2015 GMT using RSA key ID 5872D723
# gpg: Can't check signature: public key not found
* remotes/juanquintela/tags/migration/20150317:
migration: Expose 'cancelling' status to user
migration: Convert 'status' of MigrationInfo to use an enum type
hmp: Rename 'MigrationStatus' to 'HMPMigrationStatus'
migration: Rename abbreviated macro MIG_STATE_* to MIGRATION_STATUS_*
migration: Remove unused functions
arch_init: Count the total number of pages by using helper function
migrate_incoming: Cleanup/clarify error messages
Warn against the use of the string as uri parameter to migrate-incoming
migrate_incoming: use hmp_handle_error
migration: Fix remaining 32 bit compiler errors
migration: Fix some 32 bit compiler errors
migration/rdma: clean up qemu_rdma_dest_init a bit
migration: Avoid qerror_report_err() outside QMP command handlers
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
* QTest for PC X86CPU
* Confinement of ICC bridge X86CPU parenting to PC code
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABAgAGBQJVCEbzAAoJEPou0S0+fgE/0CQQAK7LPJgLXD7tvbD7nhX+E+Vl
8OeawRKag367b1yqHGgdAd4JxTSSFDzjqif67OYAG5xRuA53tZ6BdccWlnLUYYbW
+v2931HR+E4KztVHato7qdq0lVmbv9N9kg44KQPPuX8cNvJIliT/ap3SKc9btSp3
I10QtM41+KqzJYa6TBzkpij12AbzOD153STrdmiasIIQc4SMKuAZRA/A14fLazj9
iraIRLQQ1gvKPuL/4eCGN65sxXHq93ga0LeU2L2slPxm8jJ1BzgzFTDJtcXSG4Sj
CQCmDCAn8BFoom3HP5REg6u0p/d1+UbBCl9S/YjUiA5lDSrJh+8xSZ4zcwAGHcXQ
LzRKxZ18TJnpg4qcohikl43NkDmCKpqbj1T5QRrFlUp5pcia7tqlREwOTJTu8YpX
gMvdMrshJ0nM2BrdTXpkeQRP4hTKJ4pbaT15FIbxAFAqwihHW07pYU1mE0enmFb+
cA4yJTT4D4qwUFGm3OJEk/jsQmEpAoD7lz2MSjBVZiX1Crprs7ETGKalVDxDYBga
CaTxJp5nZhgwEbgmKx5/AxnohMVEs40+sXieNHkFhOZ8DOJ+/kAClBmqHakR8ENg
G6B1/gN3Gr5fSTEdppXAbvDe7g8qpC9gWkV7kwFie/MykrmDWDnivvVKxt9PlRgC
DUhHfcNCISWNvaBZWc31
=fe5i
-----END PGP SIGNATURE-----
Merge remote-tracking branch 'remotes/afaerber/tags/qom-cpu-for-peter' into staging
QOM CPUState and X86CPU
* QTest for PC X86CPU
* Confinement of ICC bridge X86CPU parenting to PC code
# gpg: Signature made Tue Mar 17 15:23:31 2015 GMT using RSA key ID 3E7E013F
# gpg: Good signature from "Andreas Färber <afaerber@suse.de>"
# gpg: aka "Andreas Färber <afaerber@suse.com>"
* remotes/afaerber/tags/qom-cpu-for-peter:
target-i386: Remove icc_bridge parameter from cpu_x86_create()
tests: Add PC CPU test
pc: Suppress APIC ID compatibility warning for QTest
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
'cancelling' status was introduced by commit 51cf4c1a, mainly to avoid a
possible start of a new migration process while the previous one still exists.
But we didn't expose this status to user, instead we returned the 'active' state.
Here, we expose it to the user (such as libvirt), 'cancelling' status only
occurs for a short window before the migration aborts, so for users,
if they cancel a migration process, it will observe 'cancelling' status
occasionally.
Testing revealed that with older libvirt (anything 1.2.13 or less) will
print an odd error message if the state is seen, but that the migration
is still properly cancelled. Newer libvirt will be patched to recognize
the new state without the odd error message.
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Cc: libvir-list@redhat.com
Signed-off-by: Juan Quintela <quintela@redhat.com>
The original 'status' is an open-coded 'str' type, convert it to use an
enum type.
This conversion is backwards compatible, better documented and
more convenient for future extensibility.
In addition, Fix a typo for qapi-schema.json (just remove the typo) :
s/'completed'. 'comppleted' (since 1.2)/'completed' (since 1.2)
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
We will use the typename 'MigrationStatus' for publicly exported typename,
So here we rename the internal-only 'MigrationStatus' to
'HMPMigrationStatus'.
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Rename all macro MIG_STATE_* to MIGRATION_STATUS_* except "MIG_STATE_ERROR",
we rename it to "MIGRATION_STATUS_FAILED" which will match the migration status
string 'failed'.
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
migrate_rdma_pin_all() and qsb_clone() are completely unused and thus
can be deleted.
Signed-off-by: Thomas Huth <thuth@linux.vnet.ibm.com>
Cc: Juan Quintela <quintela@redhat.com>
Cc: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
There is already a helper function ram_bytes_total(), we can use it to
help counting the total number of pages used by ram blocks.
Signed-off-by: zhanghailiang <zhang.zhanghailiang@huawei.com>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Create a separate error for the case where migrate_incoming is
used after a succesful migrate_incoming.
Reword the error in the case where '-incoming defer' is missing
to omit the command name so it's right for both hmp and qmp.
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Reviewed-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Amit Shah <amit.shah@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Fix type casts between pointers and 64 bit integers.
Now 32 bit builds are possible again.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Juan Quintela <quintela@redhat.com>
The current code won't compile on 32 bit hosts because there are lots
of type casts between pointers and 64 bit integers.
Fix some of them.
Signed-off-by: Stefan Weil <sw@weilnetz.de>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Do not check for rdma->host being empty twice. This removes a large
"if" block, so code indentation is changed. While at it, remove an
ugly goto from the loop, replacing it with a cleaner if logic. And
finally, there's no need to initialize `ret' variable since is always
has a value.
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Tested-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
--
fixed space detected by Dave
Signed-off-by: Juan Quintela <quintela@redhat.com>
qerror_report_err() is a transitional interface to help with
converting existing monitor commands to QMP. It should not be used
elsewhere. Replace by error_report_err() in
process_incoming_migration_co().
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Juan Quintela <quintela@redhat.com>
Instead of passing icc_bridge from the PC initialization code to
cpu_x86_create(), make the PC initialization code attach the CPU to
icc_bridge.
The only difference here is that icc_bridge attachment will now be done
after x86_cpu_parse_featurestr() is called. But this shouldn't make any
difference, as property setters shouldn't depend on icc_bridge.
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Test non-default -smp core and thread counts and a non-default CPU model
on all PC machines except for isapc. Note that not all historic versions
actually supported this particular configuration, ignored for simplicity.
For machines pc-*-1.5+ test QMP cpu-add with monotonically increasing ID,
and test for graceful failure otherwise.
Cc: Eduardo Habkost <ehabkost@redhat.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Move non-qdev-gpio[*] from /machine into /machine/unattached.
For the PC this moves 25 nodes from the stable namespace into the unstable.
Cc: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
This cleans up the official /machine namespace. In particular
/machine/system[0] and /machine/io[0], as well as entries with
non-sanitized node names such as "/machine/qemu extended regs[0]".
The actual MemoryRegion names remain unchanged.
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
To complement qdev's bus-oriented info qtree, info qom-tree
prints a hierarchical view of the QOM composition tree.
By default, the machine composition tree is shown. This can be overriden
by supplying a path argument, such as "info qom-tree /".
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Re-implemented based on qmp_qom_set() to facilitate argument parsing.
Warn about ambiguous path arguments.
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Implement it as a wrapper for QMP qom-list, but mimic the behavior of
scripts/qmp/qom-list in making the path argument optional and listing
the root if absent, to hint users what kind of path to pass.
Reviewed-by: Gonglei <arei.gonglei@huawei.com>
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Functionally it is a recursive qom-list with qom-get per non-child<>
property. Some failures needed to be handled, such as trying to read a
pointer property, which is not representable in QMP. Those print a
literal "<EXCEPTION>".
Tested-by: Alistair Francis <alistair.francis@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Error classes are a leftover from the days of "rich" error objects.
New code should always use ERROR_CLASS_GENERIC_ERROR. Commit 1d0d59f
added a use of ERROR_CLASS_DEVICE_NOT_FOUND. Replace it.
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
qerror_report_err() is a transitional interface to help with
converting existing monitor commands to QMP. It should not be used
elsewhere.
usb_msd_password_cb() is only called from within an HMP command
handler. Replace by error_report_err().
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
When the image is encrypted, QMP device_add creates the device, defers
actually attaching it to when the key becomes available, then returns
an error. This is wrong. device_add must either create the device
and succeed, or do nothing and fail.
The bug is in usb_msd_realize_storage(). It posts an error with
qerror_report_err(), and returns success. Device realization relies
on the return value, and completes. The QMP monitor, however, relies
on the posted error, and sends it in an error reply.
Reproducer:
$ qemu-system-x86_64 -nodefaults -display none -usb -qmp stdio -drive if=none,id=foo,file=geheim.qcow2
{"QMP": {"version": {"qemu": {"micro": 50, "minor": 2, "major": 2}, "package": ""}, "capabilities": []}}
{ "execute": "qmp_capabilities" }
{"return": {}}
{ "execute": "device_add", "arguments": { "driver": "usb-storage", "id": "bar", "drive": "foo" } }
{"error": {"class": "DeviceEncrypted", "desc": "'foo' (geheim.qcow2) is encrypted"}}
Even though we got an error back, the device got created just fine.
To demonstrate, let's unplug it again:
{"execute":"device_del","arguments": { "id": "bar" } }
{"timestamp": {"seconds": 1426003440, "microseconds": 237181}, "event": "DEVICE_DELETED", "data": {"path": "/machine/peripheral/bar/bar.0/legacy[0]"}}
{"timestamp": {"seconds": 1426003440, "microseconds": 238231}, "event": "DEVICE_DELETED", "data": {"device": "bar", "path": "/machine/peripheral/bar"}}
{"return": {}}
Fix by making usb_msd_realize_storage() fail properly.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
monitor_read_bdrv_key_start() does several things:
1. If no key is needed, call completion_cb() and succeed
2. If we're in QMP context, call qerror_report_err() and fail
3. Start reading the key in the monitor.
This is two things too many. Inline 1. and 2. into its callers
monitor_read_block_device_key() and usb_msd_realize_storage().
Since monitor_read_block_device_key() only ever runs in HMP context,
drop 2. there.
The next commit will clean up the result in usb_msd_realize_storage().
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Function is only called in HMP context since commit 333a96e "qapi:
Convert change".
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Commit 457215ec "ohci: Use QOM realize for OHCI" converted only
"sysbus-ohci". Finish the job: convert "pci-ohci".
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
The previous commit broke the additional messages explaining the error
messages. Improve the error messages, so they don't need explaining
so much. Helps QMP users as well, unlike additional explanations.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
This loses the messages explaining the error printed with
error_printf_unless_qmp(). The next commit will make up for the loss.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Use DeviceClass::realize() and TypeInfo::instance_init() instead of
the deprecated SysBusDevice::init().
Signed-off-by: Alistair Francis <alistair.francis@xilinx.com>
Reviewed-by: Peter Crosthwaite <peter.crosthwaite@xilinx.com>
Signed-off-by: Andreas Färber <afaerber@suse.de>
Re-add the glx compile test to configure. We can't use pkg-config to
probe for glx, and as long as milkymist-tmu2 privately uses glx (due to
opengl infrastructure in qemu not being ready yet) we must continue to
test for glx to avoid build failures.
Reported-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Max Reitz <mreitz@redhat.com>
