#include <libgen.h>
#include <pthread.h>
-#include "qemu-common.h"
+#include "qemu/help-texts.h"
#include "qapi/error.h"
#include "qemu/cutils.h"
#include "sysemu/block-backend.h"
+#include "sysemu/runstate.h" /* for qemu_system_killed() prototype */
#include "block/block_int.h"
#include "block/nbd.h"
#include "qemu/main-loop.h"
#include "io/channel-socket.h"
#include "io/net-listener.h"
#include "crypto/init.h"
+#include "crypto/tlscreds.h"
#include "trace/control.h"
#include "qemu-version.h"
+#ifdef CONFIG_SELINUX
+#include <selinux/selinux.h>
+#endif
+
#ifdef __linux__
#define HAVE_NBD_DEVICE 1
#else
#define QEMU_NBD_OPT_FORK 263
#define QEMU_NBD_OPT_TLSAUTHZ 264
#define QEMU_NBD_OPT_PID_FILE 265
+#define QEMU_NBD_OPT_SELINUX_LABEL 266
+#define QEMU_NBD_OPT_TLSHOSTNAME 267
#define MBR_SIZE 512
"\n"
"Exposing part of the image:\n"
" -o, --offset=OFFSET offset into the image\n"
+" -A, --allocation-depth expose the allocation depth\n"
" -B, --bitmap=NAME expose a persistent dirty bitmap\n"
"\n"
"General purpose options:\n"
" --fork fork off the server process and exit the parent\n"
" once the server is running\n"
" --pid-file=PATH store the server's process ID in the given file\n"
+#ifdef CONFIG_SELINUX
+" --selinux-label=LABEL set SELinux process label on listening socket\n"
+#endif
#if HAVE_NBD_DEVICE
"\n"
"Kernel NBD client support:\n"
" 'snapshot.id=[ID],snapshot.name=[NAME]', or\n"
" '[ID_OR_NAME]'\n"
" -n, --nocache disable host cache\n"
-" --cache=MODE set cache mode (none, writeback, ...)\n"
+" --cache=MODE set cache mode used to access the disk image, the\n"
+" valid options are: 'none', 'writeback' (default),\n"
+" 'writethrough', 'directsync' and 'unsafe'\n"
" --aio=MODE set AIO mode (native, io_uring or threads)\n"
" --discard=MODE set discard mode (ignore, unmap)\n"
" --detect-zeroes=MODE set detect-zeroes mode (off, on, unmap)\n"
, name);
}
-#if HAVE_NBD_DEVICE
-static void termsig_handler(int signum)
+#ifdef CONFIG_POSIX
+/*
+ * The client thread uses SIGTERM to interrupt the server. A signal
+ * handler ensures that "qemu-nbd -v -c" exits with a nice status code.
+ */
+void qemu_system_killed(int signum, pid_t pid)
{
qatomic_cmpxchg(&state, RUNNING, TERMINATE);
qemu_notify_event();
}
-#endif /* HAVE_NBD_DEVICE */
+#endif /* CONFIG_POSIX */
static int qemu_nbd_client_list(SocketAddress *saddr, QCryptoTLSCreds *tls,
const char *hostname)
sioc = qio_channel_socket_new();
if (qio_channel_socket_connect_sync(sioc, saddr, &err) < 0) {
error_report_err(err);
- return EXIT_FAILURE;
+ goto out;
}
rc = nbd_receive_export_list(QIO_CHANNEL(sioc), tls, hostname, &list,
&err);
char *device = arg;
NBDExportInfo info = { .request_sizes = false, .name = g_strdup("") };
QIOChannelSocket *sioc;
- int fd;
- int ret;
+ int fd = -1;
+ int ret = EXIT_FAILURE;
pthread_t show_parts_thread;
Error *local_error = NULL;
goto out;
}
- ret = nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
- NULL, NULL, NULL, &info, &local_error);
- if (ret < 0) {
+ if (nbd_receive_negotiate(NULL, QIO_CHANNEL(sioc),
+ NULL, NULL, NULL, &info, &local_error) < 0) {
if (local_error) {
error_report_err(local_error);
}
- goto out_socket;
+ goto out;
}
fd = open(device, O_RDWR);
if (fd < 0) {
/* Linux-only, we can use %m in printf. */
error_report("Failed to open %s: %m", device);
- goto out_socket;
+ goto out;
}
- ret = nbd_init(fd, sioc, &info, &local_error);
- if (ret < 0) {
+ if (nbd_init(fd, sioc, &info, &local_error) < 0) {
error_report_err(local_error);
- goto out_fd;
+ goto out;
}
/* update partition table */
dup2(STDOUT_FILENO, STDERR_FILENO);
}
- ret = nbd_client(fd);
- if (ret) {
- goto out_fd;
+ if (nbd_client(fd) < 0) {
+ goto out;
}
- close(fd);
- object_unref(OBJECT(sioc));
- g_free(info.name);
- kill(getpid(), SIGTERM);
- return (void *) EXIT_SUCCESS;
-out_fd:
- close(fd);
-out_socket:
+ ret = EXIT_SUCCESS;
+
+ out:
+ if (fd >= 0) {
+ close(fd);
+ }
object_unref(OBJECT(sioc));
-out:
g_free(info.name);
kill(getpid(), SIGTERM);
- return (void *) EXIT_FAILURE;
+ return (void *) (intptr_t) ret;
}
#endif /* HAVE_NBD_DEVICE */
static int nbd_can_accept(void)
{
- return state == RUNNING && nb_fds < shared;
+ return state == RUNNING && (shared == 0 || nb_fds < shared);
}
static void nbd_update_server_watch(void);
},
};
-static QemuOptsList qemu_object_opts = {
- .name = "object",
- .implied_opt_name = "qom-type",
- .head = QTAILQ_HEAD_INITIALIZER(qemu_object_opts.head),
- .desc = {
- { }
- },
-};
-
-static bool qemu_nbd_object_print_help(const char *type, QemuOpts *opts)
-{
- if (user_creatable_print_help(type, opts)) {
- exit(0);
- }
- return true;
-}
-
-
static QCryptoTLSCreds *nbd_get_tls_creds(const char *id, bool list,
Error **errp)
{
return NULL;
}
- if (list) {
- if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT) {
- error_setg(errp,
- "Expecting TLS credentials with a client endpoint");
- return NULL;
- }
- } else {
- if (creds->endpoint != QCRYPTO_TLS_CREDS_ENDPOINT_SERVER) {
- error_setg(errp,
- "Expecting TLS credentials with a server endpoint");
- return NULL;
- }
+ if (!qcrypto_tls_creds_check_endpoint(creds,
+ list
+ ? QCRYPTO_TLS_CREDS_ENDPOINT_CLIENT
+ : QCRYPTO_TLS_CREDS_ENDPOINT_SERVER,
+ errp)) {
+ return NULL;
}
object_ref(obj);
return creds;
const char *sockpath,
const char *address,
const char *port,
+ const char *selinux,
bool list)
{
if (device != NULL) {
return "TCP port number can't be set when using socket activation";
}
+ if (selinux != NULL) {
+ return "SELinux label can't be set when using socket activation";
+ }
+
if (list) {
return "List mode is incompatible with socket activation";
}
static void qemu_nbd_shutdown(void)
{
job_cancel_sync_all();
+ blk_exp_close_all();
bdrv_close_all();
}
char *device = NULL;
QemuOpts *sn_opts = NULL;
const char *sn_id_or_name = NULL;
- const char *sopt = "hVb:o:p:rsnc:dvk:e:f:tl:x:T:D:B:L";
+ const char *sopt = "hVb:o:p:rsnc:dvk:e:f:tl:x:T:D:AB:L";
struct option lopt[] = {
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'V' },
{ "socket", required_argument, NULL, 'k' },
{ "offset", required_argument, NULL, 'o' },
{ "read-only", no_argument, NULL, 'r' },
+ { "allocation-depth", no_argument, NULL, 'A' },
{ "bitmap", required_argument, NULL, 'B' },
{ "connect", required_argument, NULL, 'c' },
{ "disconnect", no_argument, NULL, 'd' },
{ "export-name", required_argument, NULL, 'x' },
{ "description", required_argument, NULL, 'D' },
{ "tls-creds", required_argument, NULL, QEMU_NBD_OPT_TLSCREDS },
+ { "tls-hostname", required_argument, NULL, QEMU_NBD_OPT_TLSHOSTNAME },
{ "tls-authz", required_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ },
{ "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS },
{ "trace", required_argument, NULL, 'T' },
{ "fork", no_argument, NULL, QEMU_NBD_OPT_FORK },
{ "pid-file", required_argument, NULL, QEMU_NBD_OPT_PID_FILE },
+ { "selinux-label", required_argument, NULL,
+ QEMU_NBD_OPT_SELINUX_LABEL },
{ NULL, 0, NULL, 0 }
};
int ch;
QDict *options = NULL;
const char *export_name = NULL; /* defaults to "" later for server mode */
const char *export_description = NULL;
- const char *bitmap = NULL;
+ BlockDirtyBitmapOrStrList *bitmaps = NULL;
+ bool alloc_depth = false;
const char *tlscredsid = NULL;
+ const char *tlshostname = NULL;
bool imageOpts = false;
- bool writethrough = true;
- char *trace_file = NULL;
+ bool writethrough = false; /* Client will flush as needed. */
bool fork_process = false;
bool list = false;
int old_stderr = -1;
unsigned socket_activation;
const char *pid_file_name = NULL;
+ const char *selinux_label = NULL;
BlockExportOptions *export_opts;
-#if HAVE_NBD_DEVICE
- /* The client thread uses SIGTERM to interrupt the server. A signal
- * handler ensures that "qemu-nbd -v -c" exits with a nice status code.
- */
- struct sigaction sa_sigterm;
- memset(&sa_sigterm, 0, sizeof(sa_sigterm));
- sa_sigterm.sa_handler = termsig_handler;
- sigaction(SIGTERM, &sa_sigterm, NULL);
-#endif /* HAVE_NBD_DEVICE */
-
#ifdef CONFIG_POSIX
- signal(SIGPIPE, SIG_IGN);
+ os_setup_early_signal_handling();
+ os_setup_signal_handling();
#endif
socket_init();
qcrypto_init(&error_fatal);
module_call_init(MODULE_INIT_QOM);
- qemu_add_opts(&qemu_object_opts);
qemu_add_opts(&qemu_trace_opts);
qemu_init_exec_dir(argv[0]);
readonly = true;
flags &= ~BDRV_O_RDWR;
break;
+ case 'A':
+ alloc_depth = true;
+ break;
case 'B':
- bitmap = optarg;
+ {
+ BlockDirtyBitmapOrStr *el = g_new(BlockDirtyBitmapOrStr, 1);
+ *el = (BlockDirtyBitmapOrStr) {
+ .type = QTYPE_QSTRING,
+ .u.local = g_strdup(optarg),
+ };
+ QAPI_LIST_PREPEND(bitmaps, el);
+ }
break;
case 'k':
sockpath = optarg;
break;
case 'e':
if (qemu_strtoi(optarg, NULL, 0, &shared) < 0 ||
- shared < 1) {
+ shared < 0) {
error_report("Invalid shared device number '%s'", optarg);
exit(EXIT_FAILURE);
}
case '?':
error_report("Try `%s --help' for more information.", argv[0]);
exit(EXIT_FAILURE);
- case QEMU_NBD_OPT_OBJECT: {
- QemuOpts *opts;
- opts = qemu_opts_parse_noisily(&qemu_object_opts,
- optarg, true);
- if (!opts) {
- exit(EXIT_FAILURE);
- }
- } break;
+ case QEMU_NBD_OPT_OBJECT:
+ user_creatable_process_cmdline(optarg);
+ break;
case QEMU_NBD_OPT_TLSCREDS:
tlscredsid = optarg;
break;
+ case QEMU_NBD_OPT_TLSHOSTNAME:
+ tlshostname = optarg;
+ break;
case QEMU_NBD_OPT_IMAGE_OPTS:
imageOpts = true;
break;
case 'T':
- g_free(trace_file);
- trace_file = trace_opt_parse(optarg);
+ trace_opt_parse(optarg);
break;
case QEMU_NBD_OPT_TLSAUTHZ:
tlsauthz = optarg;
case QEMU_NBD_OPT_PID_FILE:
pid_file_name = optarg;
break;
+ case QEMU_NBD_OPT_SELINUX_LABEL:
+ selinux_label = optarg;
+ break;
}
}
exit(EXIT_FAILURE);
}
if (export_name || export_description || dev_offset ||
- device || disconnect || fmt || sn_id_or_name || bitmap ||
- seen_aio || seen_discard || seen_cache) {
+ device || disconnect || fmt || sn_id_or_name || bitmaps ||
+ alloc_depth || seen_aio || seen_discard || seen_cache) {
error_report("List mode is incompatible with per-device settings");
exit(EXIT_FAILURE);
}
export_name = "";
}
- qemu_opts_foreach(&qemu_object_opts,
- user_creatable_add_opts_foreach,
- qemu_nbd_object_print_help, &error_fatal);
-
if (!trace_init_backends()) {
exit(1);
}
- trace_init_file(trace_file);
- qemu_set_log(LOG_TRACE);
+ trace_init_file();
+ qemu_set_log(LOG_TRACE, &error_fatal);
socket_activation = check_socket_activation();
if (socket_activation == 0) {
- setup_address_and_port(&bindto, &port);
+ if (!sockpath) {
+ setup_address_and_port(&bindto, &port);
+ }
} else {
/* Using socket activation - check user didn't use -p etc. */
const char *err_msg = socket_activation_validate_opts(device, sockpath,
bindto, port,
+ selinux_label,
list);
if (err_msg != NULL) {
error_report("%s", err_msg);
}
if (tlscredsid) {
- if (sockpath) {
- error_report("TLS is only supported with IPv4/IPv6");
- exit(EXIT_FAILURE);
- }
if (device) {
error_report("TLS is not supported with a host device");
exit(EXIT_FAILURE);
error_report("TLS authorization is incompatible with export list");
exit(EXIT_FAILURE);
}
+ if (tlshostname && !list) {
+ error_report("TLS hostname is only supported with export list");
+ exit(EXIT_FAILURE);
+ }
tlscreds = nbd_get_tls_creds(tlscredsid, list, &local_err);
if (local_err) {
error_reportf_err(local_err, "Failed to get TLS creds: ");
error_report("--tls-authz is not permitted without --tls-creds");
exit(EXIT_FAILURE);
}
+ if (tlshostname) {
+ error_report("--tls-hostname is not permitted without --tls-creds");
+ exit(EXIT_FAILURE);
+ }
+ }
+
+ if (selinux_label) {
+#ifdef CONFIG_SELINUX
+ if (sockpath == NULL && device == NULL) {
+ error_report("--selinux-label is not permitted without --socket");
+ exit(EXIT_FAILURE);
+ }
+#else
+ error_report("SELinux support not enabled in this binary");
+ exit(EXIT_FAILURE);
+#endif
}
if (list) {
saddr = nbd_build_socket_address(sockpath, bindto, port);
- return qemu_nbd_client_list(saddr, tlscreds, bindto);
+ return qemu_nbd_client_list(saddr, tlscreds,
+ tlshostname ? tlshostname : bindto);
}
#if !HAVE_NBD_DEVICE
if ((device && !verbose) || fork_process) {
#ifndef WIN32
+ g_autoptr(GError) err = NULL;
int stderr_fd[2];
pid_t pid;
int ret;
- if (qemu_pipe(stderr_fd) < 0) {
+ if (!g_unix_open_pipe(stderr_fd, FD_CLOEXEC, &err)) {
error_report("Error setting up communication pipe: %s",
- strerror(errno));
+ err->message);
exit(EXIT_FAILURE);
}
server = qio_net_listener_new();
if (socket_activation == 0) {
+ int backlog;
+
+ if (persistent || shared == 0) {
+ backlog = SOMAXCONN;
+ } else {
+ backlog = MIN(shared, SOMAXCONN);
+ }
+#ifdef CONFIG_SELINUX
+ if (selinux_label && setsockcreatecon_raw(selinux_label) == -1) {
+ error_report("Cannot set SELinux socket create context to %s: %s",
+ selinux_label, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+#endif
saddr = nbd_build_socket_address(sockpath, bindto, port);
- if (qio_net_listener_open_sync(server, saddr, 1, &local_err) < 0) {
+ if (qio_net_listener_open_sync(server, saddr, backlog,
+ &local_err) < 0) {
object_unref(OBJECT(server));
error_report_err(local_err);
exit(EXIT_FAILURE);
}
+#ifdef CONFIG_SELINUX
+ if (selinux_label && setsockcreatecon_raw(NULL) == -1) {
+ error_report("Cannot clear SELinux socket create context: %s",
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+#endif
} else {
size_t i;
/* See comment in check_socket_activation above. */
}
}
- if (qemu_init_main_loop(&local_err)) {
- error_report_err(local_err);
- exit(EXIT_FAILURE);
- }
+ qemu_init_main_loop(&error_fatal);
bdrv_init();
atexit(qemu_nbd_shutdown);
bs->detect_zeroes = detect_zeroes;
- nbd_server_is_qemu_nbd(true);
+ nbd_server_is_qemu_nbd(shared);
export_opts = g_new(BlockExportOptions, 1);
*export_opts = (BlockExportOptions) {
.has_writable = true,
.writable = !readonly,
.u.nbd = {
- .has_name = true,
- .name = g_strdup(export_name),
- .has_description = !!export_description,
- .description = g_strdup(export_description),
- .has_bitmap = !!bitmap,
- .bitmap = g_strdup(bitmap),
+ .name = g_strdup(export_name),
+ .description = g_strdup(export_description),
+ .has_bitmaps = !!bitmaps,
+ .bitmaps = bitmaps,
+ .has_allocation_depth = alloc_depth,
+ .allocation_depth = alloc_depth,
},
};
blk_exp_add(export_opts, &error_fatal);
projects / mirror_qemu.git / blobdiff